PI System Security with OpenID Connect/OAuth2/Active Directory Federated Services (ADFS)
Please consider enabling PI System Security to use Active Directory Federated Services (ADFS)[OpenID Connect/OAuth2]--the interfaces, buffer, integrators, PI Vision, etc...
As organizations move to Office365 and Cloud/Internet services, this would make authentication/use outside a company's network easier.
This would be a very important improvement.
After doing the POC (00043030) in Azure, we found that the Azure AD authentication to PI server was insufficient. Windows AD authentication was required for the PI Vision Kerberos authentication. At the moment Azure AD is not generally supported by the PI system which is restricting us to move our application to Azure and to be independent of Active Directory. It is also preventing us to fully integrate into the Cloud and meet Uniper's strategic objectives.
Floris Zwaard commented
I looks like the request somehow answers my question as if the PI System does not support ADFS authentication? Does this counts for PI Vision as well?
Vincent Kaufmann commented
In response to Floris Zwaard, "I looks like the request somehow answers..."
While the AF and Data Archive servers don't yet support an OpenId/OAuth authentication scheme, both the PI Web API and PI Vision currently do but with a necessary protocol transition when authenticating to their back end resources.
Very good proposal. May I suggest building on today's mapping of Active Directory objects (users and/or security groups) to PI+AF Identities by extending with the possibility to map token claims to PI+AF Identities. This would maintain backwards compatibility as well as supporting the new feature request.
I believe this is a duplicate of another request. https://feedback.osisoft.com/forums/555148-pi-server/suggestions/31729966-pi-system-security-with-openid-connect-oauth2-acti
Michael Lemley commented
Customers are requesting Single Sign-On to PI Vision. Suggest adding PI Vision SSO to the title.
As a PI Administrator I want to be able to use claims based authentication throughout the PI System so that I can provide a simplified and secure authentication methodology for all my users, including ones using web based applications.