Manage authentication services
FactoryTalk Services Platform supports authentication via Microsoft Entra ID (as known as
Azure AD) and OpenID Connect (OIDC) Identity Providers (IDPs), like OKTA and MyRockwell.
Both provide multiple ways to verify a user’s identity and verify that a service request
originates with that user. Various factors, such as biometrics, ID cards, or verification
codes, can be used in this authentication process. After creating the site, you can add user
groups from the cloud-based authentication services to the FactoryTalk system to allow user
accounts in the group to access the FactoryTalk system.
FactoryTalk Services Platform supports single sign-on. When enabled, the single sign-on
capability allows the user to sign in once, per FactoryTalk directory, on a given computer,
to use a FactoryTalk-enabled application such as Studio 5000 Logix Designer. Single sign-on
can be initiated in two ways.
- One way is through the computer sign-in process that users normally execute to use a computer.
- The second way is to use theLog On to FactoryTalksystem tray applet.The cloud-based authentication services must use this way. When using Microsoft Entra ID or OIDC, you must sign in using the system tray applet in order for the single sign-on to work.
The authentication service in use impacts how the single sign-on capability operates. The
following table shows how the authentication services support single sign-on.
Authentication service | Impact on single sign-on |
Password | For Windows-linked and FactoryTalk users, single sign-on is fully supported.
The addition of Microsoft Entra ID and OpenID Connect authentication services has no
impact on this existing functionality. |
Microsoft Entra ID | Single sign-on with Microsoft Entra ID depends on how the user is
authenticating. Windows logon If the Microsoft Entra ID user has previously signed in to the computer,
which creates a Microsoft-linked user, there is limited support for single
sign-on. When using Windows logon, FactoryTalk Services Platform can't decide the
Microsoft Entra ID user’s Microsoft Entra ID group membership. This prevents
FactoryTalk Services Platform from assessing security Access Control Lists that
use Microsoft Entra ID groups for this user. If the Microsoft Entra ID user
has not previously signed in to the computer, FactoryTalk Services Platform single
sign-on cannot work. Log on to FactoryTalk using the system tray applet
The Microsoft Entra ID user logging on using this method is fully supported.
Microsoft Entra ID user membership in Microsoft Entra ID groups and domain groups
can be determined, and all security Access Control Lists can be
assessed. |
OpenID Connect | Single sign-on support is limited to the following when using this
authentication service. Log on to FactoryTalk using system tray applet
The OpenID Connect user logging on using this method is fully supported.
OpenID Connect user membership in OpenID Connect groups and domain groups can be
determined, and all security Access Control Lists can be assessed. |
How to sign in to FactoryTalk using the system tray applet
FactoryTalk Services Platform
supports single sign-on with cloud-based authentication
services like Azure, OKTA, and MyRockwell indirectly. To use single sign-on, users
must first sign in to the FactoryTalk
Directory via the system tray
Login/Logout applet. After completing this step, adopting applications, such as Studio 5000 Logix Designer
and FactoryTalk View
Studio, can use single
sign-on for authentication when started. FactoryTalk Services Platform
does not
support using the currently authenticated Windows user for automatic authentication
when an adopting application is started.Provide Feedback