cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can subscribe to a forum, label or individual post and receive email notifications when someone posts a new topic or reply. Learn more! X

SSO doesn't work with Pingfederate/Thingworx

idastanka
6-Contributor

SSO doesn't work with Pingfederate/Thingworx

Hi,

I have some problems with configuring SSO. I did all steps on this document https://support.ptc.com/WCMS/files/172779/en/PTC_Single_Sign_on_Architecture_and_Configuration_Overview_Guide.pdf  . I not sure about Scope, i did as on guide WINDCHIILL_READ. Is it right? At the moment i can login to thingworx trough sso but after I do changes in ptc-windchill-integration-connector and ptc-windchill-integration-connector-proxy i get this error

 

Selection_057.png

In Security log i found these errors:

 

2018-01-20 18:33:13.521+0300 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] [ Failed to utilize the SSO component for authentication ][ The requested scope(s) must be blank or a subset of the provided scopes. ]

2018-01-20 18:33:13.522+0300 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] Could not handle request

2018-01-20 18:33:13.524+0300 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] errorMessage: [Unauthorized], statusCode: [401]

2018-01-20 18:33:13.524+0300 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: https-jsse-nio-443-exec-4] [ The requested scope(s) must be blank or a subset of the provided scopes. ]

 

my sso-settings.json:

 

{

"BasicSettings": {

"clientBaseUrl": "https://ecsc00a00f1d.epam.com:443/Thingworx",

"idpMetadataFilePath": "/ThingworxPlatform/ssoSecurityConfig/sso-idp-metadata.xml",

"metadataEntityId": "https://ecsc00a00f1d.epam.com/Thingworx",

"metadataEntityBaseUrl": "https://ecsc00a00f1d.epam.com/Thingworx",

"webSSOProfileConsumerResponseSkew": 300,

"webSSOProfileConsumerReleaseDOM": true,

"webSSOProfileResponseSkew": 300,

"samlAssertionMaxAuthenticationAge": 7200,

"samlAssertionUserNameAttributeName": "uid"

},

"AccessTokenPersistenceSettings": {

"dbType": "postgres",

"driverClassName": "org.postgresql.Driver",

"url": "jdbc:postgresql://localhost:5432/thingworx",

"username": "twadmin",

"password": "pass",

"encryptTokenInDatabase": "false"

},

"KeyManagerSettings": {

"keyStoreFilePath": "/ThingworxPlatform/ssoSecurityConfig/keystore.jks",

"keyStoreStorePass": "pass",

"keyStoreKey": "tomcat8.5",

"keyStoreKeyPass": "pass"

},

"AuthorizationServersSettings": {

"PingFed1": {

"clientId": "twx_oauth_conn",

"clientSecret": "secret",

"authorizeUri": "https://ecsc00a00f1e.epam.com:9031/as/authorization.oauth2",

"tokenUri": "https://ecsc00a00f1e.epam.com:9031/as/token.oauth2",

"clientAuthScheme": "form"

}

}

}

 

 

5 REPLIES 5
hselarka
14-Alexandrite
(To:idastanka)

Hi Iryna,

Seems like the SCOPE is not defined in correct way. We need to mention the same SCOPE in PingFederate and in Thingworx.

I'll suggest you to create a case with Support Services. A case can be logged with TS here

BR,

Harsh Selarka

Any success on this, I am also facing the same issue

Security log is saying:

2018-02-09 14:15:13.865+0000 [L: DEBUG] [O: o.s.s.w.c.SecurityContextPersistenceFilter] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] SecurityContextHolder now cleared, as request processing completed

2018-02-09 14:15:13.868+0000 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] [ Failed to utilize the SSO component for authentication ][ Error requesting access token. ][ 401 Unauthorized ]

2018-02-09 14:15:13.868+0000 [L: DEBUG] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] authentication status: [false]

2018-02-09 14:15:13.868+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] Could not handle request

2018-02-09 14:15:13.875+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] errorMessage: [Unauthorized], statusCode: [401]

2018-02-09 14:15:13.875+0000 [L: DEBUG] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] ssoException exists: [true], recoverable: [false]

2018-02-09 14:15:13.875+0000 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8443-exec-1] [ Error requesting access token. ][ 401 Unauthorized ]

i'm also facing same issues ,kindly provide your comments.

 

2019-11-14 07:39:43.292-0500 [L: ERROR] [O: S.c.t.s.a.s.ThingworxSSOAuthenticator] [I: ] [U: ] [S: ] [T: http-nio-8181-exec-1] [ Failed to utilize the SSO component for authentication ][ Key for alias keystore not found ]
2019-11-14 07:39:43.293-0500 [L: ERROR] [O: S.c.t.s.a.AuthenticationFilter] [I: ] [U: ] [S: ] [T: http-nio-8181-exec-1] Could not handle request
2019-11-14 07:39:43.293-0500 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8181-exec-1] errorMessage: [Unauthorized], statusCode: [401]
2019-11-14 07:39:43.293-0500 [L: ERROR] [O: S.c.t.s.a.AuthenticatorExceptionHandler] [I: ] [U: ] [S: ] [T: http-nio-8181-exec-1] [ Key for alias keystore not found ]

 

 

Arshad
17-Peridot
(To:karthik24)

Please check if keyAlias is defined correctly in <ThingworxNavigate>/tomcat/apache-tomcat-8.x.xx/conf/server.xml

Also, make sure the Hostname for PingFederate, Windchill and Thingworx in the all configuration files and shortcuts URLs also uses as Fully Qualified Host Name (FQDN) .

slangley
23-Emerald II
(To:idastanka)

Hi @idastanka.

 

If one of the responses allowed you to resolve your issue, please mark the appropriate one as the Accepted Solution for the benefit of others with the same problem.  If you are still having issues, please provide additional information.

 

Regards.

 

--Sharon

Top Tags