AVEVA Product Feedback


Add a new idea Subscribe
Status Completed
Categories Security
Created by Guest
Created on Aug 20, 2022

RELATED IDEAS

PI System Security with OpenID Connect/OAuth2/Active Directory Federated Services (ADFS)

Please consider enabling PI System Security to use Active Directory Federated Services (ADFS)[OpenID Connect/OAuth2]--the interfaces, buffer, integrators, PI Vision, etc...  As organizations move to Office365 and Cloud/Internet services, this would make authentication/use outside a company's network easier.
  • ADMIN RESPONSE
    Jul 10, 2023

    AVEVA PI Server 2023 introduces modern, claims-based authentication via OpenID Connect. For additional information on AVEVA PI System 2023, please see the release announcement.

  • Attach files
  • Paul Downes
    Reply
    |     Jun 16, 2023

    Has there been any update to this request please? We want to implement in Azure, but would like users from other domains to sso and use PI. Is this still not possible?

  • Guest
    Reply
    |     Aug 20, 2022
    Customers are requesting Single Sign-On to PI Vision. Suggest adding PI Vision SSO to the title.
  • Guest
    Reply
    |     Aug 20, 2022
    I believe this is a duplicate of another request. https://feedback.osisoft.com/forums/555148-pi-server/suggestions/31729966-pi-system-security-with-openid-connect-oauth2-acti
  • Guest
    Reply
    |     Aug 20, 2022
    Very good proposal. May I suggest building on today's mapping of Active Directory objects (users and/or security groups) to PI+AF Identities by extending with the possibility to map token claims to PI+AF Identities. This would maintain backwards compatibility as well as supporting the new feature request.
  • Guest
    Reply
    |     Aug 20, 2022
    In response to Floris Zwaard, "I looks like the request somehow answers..." While the AF and Data Archive servers don't yet support an OpenId/OAuth authentication scheme, both the PI Web API and PI Vision currently do but with a necessary protocol transition when authenticating to their back end resources.
  • Guest
    Reply
    |     Aug 20, 2022
    I looks like the request somehow answers my question as if the PI System does not support ADFS authentication? Does this counts for PI Vision as well?
  • Guest
    Reply
    |     Aug 20, 2022
    As a PI Administrator I want to be able to use claims based authentication throughout the PI System so that I can provide a simplified and secure authentication methodology for all my users, including ones using web based applications.
  • Guest
    Reply
    |     Aug 20, 2022
    After doing the POC (00043030) in Azure, we found that the Azure AD authentication to PI server was insufficient. Windows AD authentication was required for the PI Vision Kerberos authentication. At the moment Azure AD is not generally supported by the PI system which is restricting us to move our application to Azure and to be independent of Active Directory. It is also preventing us to fully integrate into the Cloud and meet Uniper's strategic objectives.
  • Guest
    Reply
    |     Aug 20, 2022
    This would be a very important improvement.
  • Guest
    Reply
    |     Aug 20, 2022
    The major part of us now are using AzureAD from Microsoft, This technology must be supported by OSISOft otherwise we need to maintain an obsolete Active directory Domain controller only for PI Authenticatoin.,
  • Roger Palmen
    Reply
    |     Aug 20, 2022
    OAuth is a regular request for identification with the increase of cloud-based deployments and non-windows environments connecting to PI in some way.
  • Guest
    Reply
    |     Aug 20, 2022
    As our CyberSecurity team is against replicating our AD Domain to our Azur tenant, we are completely blocked to move part of our PI servers into the cloud. Adding Modern Authentication to the PI system will release us from this constraint.