What's New in PI AF 2023

The following properties and enumeration set have been added:

• OSIsoft.AFAFAuthenticationMode and PISystemAuthenticationMode properties return the supported authentication modes for the AF server.
• The PISystemSelectedAuthenticationMode property returns the current authentication mode.
• The new PISystemIdentityServerEndpointAddress property returns the address for the Identity server used for OIDC authentication.
• The properties PISystemDefaultAuthenticationMode and PISystemUsingDefaultAuthenticationMode show the default authentication mode for the PISystems parent object, and, if that mode is currently in use.
• The PISystemConfiguredRoles and PISystemConfiguredOidcIdentities properties store configured roles and other OIDC identities returned by the Identity server.
• The OSIsoft.AFAFSecurityMappingType enumeration set enables creation of security mappings using OIDC identities.

The following new methods provide support for OIDC authentication:

• The methods PISystemConnectWithPrompt and PISystemConnectWithPrompt(AFConnectionPreference) allow connections to an AF Server with OIDC authentication using authorization code flow through a Web-browser popup window.
• The PISystemConnect(String, String) and PISystemConnect(String, String, AFConnectionPreference) methods allow connection to the AF Server using OIDC client credentials.
• The PISystemConnect(String) and PISystemConnect(String, AFConnectionPreference) methods provide connections to an AF server using an access token retrieved from the Identity server.
• The PISystemGetIdentityProvidersandRoles method retrieves a list of all of the latest OIDC identities and roles from the Identity server.
• The AFSecurityMappingsAdd(String, String, AFSecurityIdentity, AFSecurityMappingType) overload provides the ability to create mappings for OIDC identities.

New options for AFGlobalSettings allow control of OIDC authentication behavior:

• The property AFGlobalSettingsPreferOpenIdAuth allows control of the UI connection default behavior. The new enumeration OSIsoft.AFAFGlobalSettingsPreferOpenId provides options for how an initial connection occurs. Users can be prompted every time their UI application is opened to choose an authentication mode, or the default authentication mode can be automatically set to OIDC or Windows. Any connection that doesn't support OIDC will automatically default to Windows authentication. This option is set in the AFSDK.config file.
• The property AFGlobalSettingsIgnoreThreadCurrentPrincipal controls whether the ClaimsIdentity on Thread.CurrentPrincipal is used when set. By default, the AFSDK creates PISystems objects using the identity on Thread.CurrentPrincipal and connects using any access token set there.
• The property AFGlobalSettingsDisableAuthenticationFallback enables fallback control to Windows authentication when the default authentication mode for the PISystems collection is set to OIDC and the current server connection doesn't support OIDC authentication. In this scenario, the AFSDK falls back to Windows authentication by default. If set to true, an InvalidOperationException is thrown when attempting to connect to an AF or Data Archive server that doesn't support OIDC connections.

The new constructor PISystemsPISystems(ClaimsIdentity, Boolean) allows users to set the identity of the PISystems object at creation time instead of relying only on the current user context. If a WindowsIdentity is passed in for the first argument, the default authentication mode is set to Windows Authentication. If a valid ClaimsIdentity is passed in, the default authentication mode is set to OIDC. If an access token exists on the ClaimsIdentity, that will be used for authentication. The two new properties PISystemsCurrentUserId and PISystemsCurrentUserName enable retrieval of information for the identity used at creation.

The new AFElementGetAttributeValues(PISystem, IListAFAttributeValueQueryID, ClaimsIdentity, Object, Boolean) method overload returns a list of values for a specific OIDC user.

A new AFEventFrameGetAttributeValues(PISystem, IListAFAttributeValueQueryID, ClaimsIdentity, Object, Boolean) method overload returns a list of values for a specific OIDC user.

The following properties have been added:

• PIServerAuthenticationMode returns the supported authentication modes for the Data Archive server along with PIServerSelectedAuthenticationMode that returns the current authentication mode.
• The new PIServerIdentityServerEndpointAddress property returns the address of the Identity server used for OIDC authentication.
• The properties PIServerDefaultAuthenticationMode and PIServerUsingDefaultAuthenticationMode show the default authentication mode for the PISystems parent object, and, if that mode is currently in use.

The following methods have been added to support OIDC authentication:

• The methods PIServerConnectWithPrompt, PIServerConnectWithPrompt(IWin32Window, PIAuthenticationMode, NullableAFConnectionPreference), and PIServerConnectWithPrompt(AFConnectionPreference) enable connections to a Data Archive server with OIDC authentication using authorization code flow through a Web browser pop-up window.
• The methods PIServerConnect(String, String) and PIServerConnect(String, String, AFConnectionPreference) enable connections to a Data Archive server using OIDC client credentials.
• The methods PIServerConnect(String) and PIServerConnect(String, AFConnectionPreference) enable connections to a Data Archive server using an access token retrieved from the Identity server.
• The PIIdentityMappingsAdd(String, String, String, PIIdentityMappingType) overload allows creation of mappings for OIDC identities.
• The PIServersGetPIServers(ClaimsIdentity, Boolean) overload allows access to PIServers collection using a ClaimsIdentity by utilizing the new PISystems constructor.

A new UOMDatabaseGetDisplayUOMGroup(ClaimsIdentity) method overload enables returning the UOM group for an OIDC user.