Add a cloud-based authentication group

Add user groups from the cloud-based authentication services to the FactoryTalk system to allow user accounts in the group to access the FactoryTalk system. FactoryTalk Services Platform supports Microsoft® Entra ID (as known as Azure AD) and OpenID Connect (OIDC) Identity Provider (IDP) authentication services by retrieving information from Microsoft Entra ID and OIDC groups. The cloud OIDC IDPs include OKTA, MyRockwell, and on-premises OIDC IDP. Security permissions are set at the group level.
IMPORTANT:
Microsoft renamed Azure Active Directory (Azure AD) to Microsoft Entra ID.
Prerequisites
  • Obtain these permissions in the User Groups folder in
    FactoryTalk
     Administration Console Explorer:
    • Common > Create Children
    • Common > List Children
    • Common > Read
  • Configure authentication sites of the desired type, like Microsoft Entra ID, OKTA, MyRockwell, and on-premises OIDC.
To add a cloud-based authentication group
  1. In the FactoryTalk Administration Console
    Explorer
     pane, go to
    System > Users and Groups > User Groups
    .
  2. Right-click
    User Groups
    , select
    New
    , and then select
    Cloud-based Authentication Group
    .
  3. In
    New Cloud-based Authentication Group
    , select
    Add
    .
  4. In
    Select Groups
    , under
    Select cloud-based OIDC and Azure AD sites
    , select a site.
  5. (optional) In the
    Name
     box, enter the keywords to filter the associated groups.
  6. Select
    Search
    .
    The results will show after you sign in, and you can turn pages to find more groups by clicking under
    Search
    . The maximum number of groups returned in a search is 200 items for Microsoft Entra ID and 50 for OKTA per page.
  7. On the sign-in page, enter your account and password.
    TIP:
    For the Microsoft Entra ID group, in
    Stay signed in to all your apps
    , select
    No, sign in to this app only
     to limit Windows to remember your account and access only the configured Microsoft Entra ID application. Select
    OK
     to allow Windows to remember your account and automatically sign in to all your applications and websites on this device.
  8. Under
    Select user groups
    , select a user group, and then select
    OK
    .
    TIP:
    When listing Microsoft Entra ID groups, an error appears if the server doesn’t retrieve the user group information successfully. In the FactoryTalk Administration Console
    Explorer
     pane, go to
    System > Policies > System Policies > Security Policy
     to specify the Web authentication timeout and Web authentication retry count. The default timeout value is 100 seconds, and the default retry count is 3.
  9. In
    New Cloud-based Authentication Group
    , review the group list.
    • To remove any groups added unintentionally, select the groups, and then select
      Remove
      .
    • To add more groups, repeat step 3 to step 8.
  10. Select
    OK
    .
Provide Feedback
Have questions or feedback about this documentation? Please submit your feedback here.
Normal