In today’s digital landscape, Single Sign-On (SSO) solutions provide an efficient way for users to access multiple applications with just one set of login credentials. However, navigating the different authentication protocols can sometimes lead to confusion and technical issues.
In this post, we’ll explore a specific issue related to ThingWorx Navigate (now known as Windchill Navigate) and how changes in Microsoft’s EntraID can affect its functionality.
The Problem with ThingWorx Navigate
Users of ThingWorx Navigate, specifically those using versions 9.5 to 9.7, have encountered errors while attempting to connect through SSO via Microsoft EntraID. After successful user authorization, some were unexpectedly met with a “404 Page Not Found” error. Although refreshing the page or clicking the “Back to Composer” link often resolved the issue temporarily, the root cause remains significant.
In the application logs, an alarming warning surfaced:
Warning: The application with App ID ‘xxxx-xxxx-xxx-xxxx-xxxxxx’ is configured for SAML SSO and could not be used with non-SAML protocols.
What Does This Mean for ThingWorx Users?
To understand the implications of this warning, we need to delve into two critical authentication protocols that ThingWorx uses: SAML and OAuth 2.0.
SAML (Security Assertion Markup Language)
SAML is a protocol that allows authentication between different applications. It enables one website, known as the Service Provider, to trust another site (the Identity Provider) to verify user identities. This framework is common when users log in to multiple sites using a single account, such as a Google or Microsoft account.
OAuth 2.0
On the other hand, OAuth 2.0 is primarily concerned with authorization. It allows applications to obtain access to user accounts without sharing passwords. Instead, it often employs JWT (JSON Web Tokens), which provide a compact way to securely transmit information between parties.
What Happened?
As of September 2024, Microsoft enforced a rule stating that applications configured to use SAML for authentication could no longer work with JWTs. This created a significant compatibility issue: SAML-configured applications will not be able to use OAuth 2.0. Hence, when ThingWorx Navigate attempted to authenticate using SSO through the OAuth framework while being set up for SAML, it led to a conflict. Users faced login issues, resulting in a halt in functionality for applications relying on the existing SAML setup.
Why Is This a Problem for ThingWorx Users?
This issue is akin to a cafe that only accepts cash suddenly refusing credit cards. When ThingWorx Navigate tried to use OAuth for authentication while configured for SAML, it led to authentication failures and disrupted user access.
Resolving the Issue in ThingWorx
For IT professionals managing ThingWorx Navigate, resolving such issues requires clear steps:
- Create a Separate App Registration:
Establish a new application registration that is exclusively configured for OAuth 2.0 to avoid conflicting with the SAML setup. - Update ThingWorx Configuration:
After creating a separate registration, update the OAuth configuration in ThingWorx. This involves adjusting the scope values in the ThingWorx Composer and through the Navigate configurator. - Adjust Security Context in Windchill:
Modify thesecurityContext.propertiesfile in Windchill to align with the new resource scopes. - Update Windchill Properties:
Thewt.propertiesfile will also need updates, specifically for the JWT token audience and the KID URL.
Conclusion
As technology evolves, keeping abreast of changes in authentication protocols is crucial for IT professionals, especially those managing applications like ThingWorx Navigate. Understanding the differences between SAML and OAuth 2.0, and how they interact, will help troubleshoot issues and ensure seamless integration across applications.
By implementing the above steps, organizations can mitigate errors and provide a more reliable user experience when utilizing SSO in ThingWorx.
Discover more from My Tricky Notes
Subscribe to get the latest posts sent to your email.