Authentication
Select the user authentication modes available at runtime and configure the required
password policy for users defined in
FactoryTalk Optix Studio
.Authentication modes
Depending on the authentication mode selected, these types of users may log on at runtime:
Users type | Description |
|---|---|
Model | Users created in FactoryTalk Optix Studio . |
Local | Local machine users. |
Domain | Active Directory or LDAP users. Domain users can log on to FactoryTalk Optix Applications by using these
username conventions:
For more information, see Configure Active Directory for user authentication. |
OAuth 2.0 | Users authorized with the OAuth 2.0 protocol with PKCE, which relies on a JWKS
endpoint. You cannot use other authentication modes than OAuth 2.0 protocol with
PKCE. For more information, see OAuth 2.0 Authorization Code Grant Type.
TIP:
FactoryTalk Optix Studio uses RS256
tokens.For Web Presentation Engine, a pop-up window opens to display the login and
logout pages. |
NOTE:
If you set the authentication to Model, Local and Domain, you
cannot change the user password or add users. Change the authentication mode to a mode
other than Model, Local and Domain.
Depending on the client operating system, different authentication modes are supported:
Platform | Model authentication | Local authentication | Active Directory authentication | LDAP server authentication | OAuth 2.0 |
|---|---|---|---|---|---|
Windows | |||||
Ubuntu 22 | |||||
Embedded |
Domain users and groups mapping
New users and groups:
- If a domain user logs on at runtime, a corresponding model user is created.
Existing users and groups:
- Existing model groups are mapped with the corresponding domain groups.
- Existing model users are mapped with the corresponding domain users if the model username matches the domain username and the domain variable under the user model node.
Edited group membership:
- If a domain user is no longer in a domain group, the corresponding model user is removed from the corresponding model group.
- If a domain user becomes a member of a domain group, the corresponding model user is added to the corresponding model group.The corresponding model user is added to the corresponding model group if the domain group exists in the model.
Removed users and groups:
- If a domain user is removed from a group and the corresponding model user belongs to the model group, the user is removed from the model group after a successful log in.
Password policies
Enforce:
- Minimum and maximum password age
- Minimum password length
- The necessity to set unique passwords
TIP:
Password policies impact Model users only.
Provide Feedback