Single Sign-On (SSO) using claims authentication in PI Vision
Integration with enterprise ‘non-windows’ (claims) authentication systems.
A significant number of customers in my region are not using/don’t plan to adopt WIS as their authentication policy. As a result many of them are not using Windows AD.
Customers need PI Vision to be more flexible: PI Vision should be able to be integrated with their chosen SSO system.
Pule Wang
shared this idea
Please tell us more about your use case! What Identity provider would you use? Would you use this to make PI Vision available outside the business network?
-
Anthony_Total
commented
First, I’d like to say that today we have a production environment running the claims-based authentication.
We currently use Memority as Identity Provider for our whole company ecosystem (many protocols supported but for PI Vision we work with OpenID Connect).
We publish the site from On Premise (seen as "legacy" or even "old IT") over the internet with this third party auth via enterprise-grade reverse proxy solution for several purposes:
1. Company Laptop - connect to PI Vision without mounting VPN on laptops when on mobility or Working From Home (especially during covid-like crisis).
2. Other Company devices - connect to PI Vision from phone/tablet that are not compatible with Windows Integrated Security, from anywhere without entering login/password.
3. Company BYOD - connect to PI Vision from any personal device without installing any third-party app/vpn.
4. Partners - share displays & data to partners without the need to provide them with full access to our AD domain nor a company workstation.
5. Last and not tested yet because of missing prerequisite but reaching PI Vision within a full PI System in Azure tenant context - still avoiding reverting to basic auth.As seen in a case today the only alternative provided is to use Azure AD Application Proxy (https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/what-is-application-proxy). This is an entirely different solution than just claims-based authentication and requires an architecture study and risk analysis. Plus I’m not sure the 5th use-case could be covered by this solution.
PS: As of today, our end-users do not know their own AD password.
-
Matt JP
commented
We currently use OneLogin as an identity provider but have not yet configured PI Vision to use OIDC. If PI Vision supported OIDC more natively it would allow us to more easily add multi-factor authentication and all of the other features that IDPs offer more easily to the process of logging into PI Vision. This would greatly improve our confidence in offering external logins as we are a Connected Services Partner. It would also add confidence to our end-users as multi-factor authentication is now seen as pretty normal.
-
Christoph Rose
commented
We use Open ID Connect with Okta to do multi-factor authentication and provide sign ins to PI Vision for external customers outside of our business network.
-
taterhead247
commented
Azure (B2B and B2C). Our company uses AAD wherever possible. On-prem is seen as legacy (although still heavily used!). We would switch internal users to AAD auth. And it would allow us to auth external users as well.
-
MikeJnoz
commented
Notification screenshots would also need to work with SSO, we currently have SSO set up with claims authentication (OIDC) and this doesn't work for PI notification email graphic screenshots.
-
Christoph Rose
commented
How many years is this expected to be in CTP?
From our contacts with customer support, I expect OSIsoft to have gathered enough experience (and it is working well enough) to finally officially support this.
-
WenGui Hua
commented
better to provide the functions:
1. Login the PIVision with remembered password
2. Force login the pivision with password
3. After enter 3 times wrong password, lock the account in 1 hour