Good day everyone,
Today we changed the name of a group in our Active Directory and as a consequence we locked all users relying on that group out of the system for a while until we figured out where the problem is coming from - apparently, the connection between AD & Thingworx is based on the AD Group's name rather than its unique SID. For organisations where names can change frequently, this is quite the issue - is there any way around this currently?
Kind regards,
Martin
You need to configure your AD to send the "group-id" as claim instead of the "display name". Then in TWX you need change the mapping to use the ids to TWX groups (in the ThingworxSSOAuthenticator).
What kind of AD are you using? AAD?
We're only synching to Azure, we're using an in-house one with Windows Domain Controller. Generally, I do believe it's set up properly from our side specifically, I'm just wondering about how to properly implement it on Thingworx' side of things.
I'm assuming you are talking about the ThingworxSSOAuthenticator's "Identity Provider Group Name"?
Yes, I was referring this section. But I assumed that you are already using this section to map your "ad group name" to twx groups. From what I understand you don't do that? So most likely I have misinterpreted your setup (I thought some Single Sign-on setup is in place).
Not exactly - we have a project with a Thingworx Directory Service which has the group mappings from the Active Directory to Thingworx Groups - the problem is that the mapping and search functionality there only lets you select the AD Groups by name so that's when everything broke once the name was changed internally
I see. I have no experience with this one. In the docs I only found
https://support.ptc.com/help/thingworx/platform/r9/en/index.html#page/ThingWorx/Help/Composer/Security/DirectoryServicesAuthentication/ActiveDirectoryGroupsDynamicLogin.html# the parameter "Group Attribute Name" which defaults to "cn" (common name) which twx will use for mapping. Not sure if you could change this to something else which identifies the group by id?
From my google search it does not seem that the AD-group contains some id https://stackoverflow.com/a/33961313
There are attributes for groups in Active Directory for groups that have unique values: objectSid, objectGUID
It would be a great improvement to configure the mapping to those attributes instead of the group name.
Indeed - and how to do that using a Thingworx DirectoryService is why I created this topic. Sadly, in the group mappings it seems like you can only add mappings via common name.