ThingWorx 9.2, 9.1.4, 9.0.9, and later support Microsoft Entra ID acting as both the Central Auth Server (CAS) and the Identity Provider (IdP) to manage SSO-enabled products. A user is able to access data from their application, and use it in in a ThingWorx session.

In this SSO architecture, ThingWorx sends SAML requests for user authentication to Microsoft Entra ID. Microsoft Entra ID verifies the authenticity of the user credentials and sends an assertion to ThingWorx authorizing the user login.

Microsoft Entra ID also manages the trust relationship between ThingWorx and the resource servers from which ThingWorx retrieves data. Microsoft Entra ID generates access tokens which ThingWorx includes in requests for data from resource providers. Resource servers rely on Microsoft Entra ID to verify the authenticity of the access tokens. This scenario is called delegated authorization because the user is authorizing ThingWorx to obtain their data from a resource server. The access tokens exchanged between ThingWorx, Microsoft Entra ID, and other PTC products use the OAuth protocol.

Before you proceed, make sure you read through the PTC Identity and Access Management Help Center. This Help Center provides an overview of single sign-on and related terminologies as well as detailed information on configuring Microsoft Entra ID. It also provides the following examples of single-sign on configurations: