Using Microsoft Entra ID as a Central Auth Server and an Identity Provider
|
If you upgrade ThingWorx and you are using CAS as Microsoft Entra ID and connecting to a resource server using ThingWorx connectors based SSO connection type, then you must set the property mandatoryScopes in AuthorizationServersSettings in the sso-settings.json file to include offline_access.
Due to the change in Microsoft Entra ID behavior, the process of acquiring a new token does not provide a refresh token. As a result, after the access token expires, we cannot refresh it during the session. To overcome this issue, the user must log in again, returning the fresh token healthy and solving the issue permanently.
|
ThingWorx 9.2, 9.1.4, 9.0.9, and later support Microsoft Entra ID acting as both the Central Auth Server (CAS) and the Identity Provider (IdP) to manage SSO-enabled products. A user is able to access data from their application, and use it in in a ThingWorx session.
In this SSO architecture, ThingWorx sends SAML requests for user authentication to Microsoft Entra ID. Microsoft Entra ID verifies the authenticity of the user credentials and sends an assertion to ThingWorx authorizing the user login.
Microsoft Entra ID also manages the trust relationship between ThingWorx and the resource servers from which ThingWorx retrieves data. Microsoft Entra ID generates access tokens which ThingWorx includes in requests for data from resource providers. Resource servers rely on Microsoft Entra ID to verify the authenticity of the access tokens. This scenario is called delegated authorization because the user is authorizing ThingWorx to obtain their data from a resource server. The access tokens exchanged between ThingWorx, Microsoft Entra ID, and other PTC products use the OAuth protocol.
Before you proceed, make sure you read through the
PTC Identity and Access Management Help Center. This Help Center provides an overview of single sign-on and related terminologies as well as detailed information on configuring Microsoft Entra ID. It also provides the following examples of single-sign on configurations:
• Configuring Authentication with Microsoft Entra ID
• Configuring Authorization with Microsoft Entra ID