Add an OpenID Connect site

Use
FactoryTalk Administration Console
 to configure and bind an OpenID Connect application within FactoryTalk Security to receive information from an OpenID Connect (OIDC) Identity Provider (IDP). Through the OIDC IDP, the FactoryTalk Security authentication experience can be augmented to use any multi-factor authentication type supported by the OIDC IDP. For more information, see the OIDC IDP instructions.
FactoryTalk Services Platform supports these OIDC IDP types:
To add an OpenID Connect site
  1. In the FactoryTalk Administration Console
    Explorer
     pane, expand
    Authentication Services
    .
  2. Right-click
    OIDC Site
    , select
    New
    , and then select one of the following:
    IMPORTANT: The OIDC site type should match the OIDC server configuration.
    • New On-Prem OIDC Site
      FactoryTalk Security can reference an on-premises OIDC IDP application, such as HID Global’s HID® DigitalPersona®, used in conjunction with an on-premises Microsoft Active Directory for user authentication to support a variety of authentication mechanisms, such as fingerprint scanning. The on-premises OIDC authentication only supports Windows-linked users.
    • New OKTA OIDC Web Application
      FactoryTalk Security integrates with an OKTA OIDC web application, supporting authentication mechanisms like the Authorization Code Flow. For more information, see OKTA and OAuth Community Site.
    • New OKTA OIDC Single-Page Application
      FactoryTalk Security can reference an OKTA OIDC single-page application integration for user authentication to support a variety of authentication mechanisms, such as PKCE flow. For more information, see OKTA and OAuth Community Site.
    • New MyRockwell
      FactoryTalk Security can reference a MyRockwell Auth0 application for user authentication.
  3. When the dialog opens, configure the following
    • Name
      : Specify the name of the OIDC site. The site name should be unique.
    • Description
      : Enter a description of the OIDC site.
    • Client Information
      The following information is from the OIDC server:
      • Client ID: The unique identifier issued for the client. It is registered on the OIDC server.
      • Client Secret: The client secret issued for the client. It is registered on the OIDC server. This value is known only to the OIDC IDP and your application integration.
        TIP: The client secret is hidden. To change the client secret for an existing OIDC site, right-click the OIDC site, select
        Properties
        , and then select next to
        Client Secret
        .
      • Scope: The scope of the access request. You can adjust this value according to your OIDC server settings so that FactoryTalk Security can receive user information. Use a comma to separate the values for each scope. Openid is pre-defined. The default values are the minimum scope.
      • Domain: It is only available for the on-premises OIDC site. The Windows domain where your OIDC server is located, for example, test.com.
      • Enable PKCE: It is only available for the OKTA and MyRockwell OIDC sites. Proof Key for Code Exchange (PKCE) indicates if a PKCE code challenge is required to verify client requests. Whether to enable PKCE is based on the OIDC server configuration.
    • Endpoint Information
      The following Endpoint information is from the OIDC IDP configuration. Before creating an OIDC site, you must have an OIDC server configured. Endpoint URLs communicate with the OIDC IDP during OIDC authentication and authorization.
      • Authorize Endpoint URL: The authorization endpoint used for authentication and authorization. It returns an authorization grant to the client.
      • Token Endpoint URL: The token endpoint used for token exchange. It returns the access token, ID token, and optionally refresh token.
      • User Info Endpoint URL: It is only required for the
        on-premises OIDC site
        . It returns a response containing claims about the user.
      • OKTA API Key: The API key is one option that OKTA provides for authenticating the user of an external application to use OKTA APIs to obtain information from an associated OKTA application. Whether to enable the OKTA API Key is based on the OIDC server configuration.
        TIP:
        • FactoryTalk Services Platform performs authentication using Authentication Code Flow.
        • Register the callback URL in your OIDC server as http://localhost.
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal