Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Asset Information Management

TABLE OF CONTENTS

Configure AVEVA AIM Authentication

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJul 23, 2024
  • 2 minute read

Besides the Windows authentication, AIM supports an additional authentication mode that can be used to connect the AIM Dashboard with authentication providers not dependent on a domain. The authentication mode is:

  • Web Services Federation (WS-Federation), which allows you to use Active Directory Federation Services (ADFS)

To configure this authentication, you must deploy the AIM Dashboard without using the deployment tool.

To deploy the AIM Dashboard manually:

  1. Open IIS.

  2. Right-click the application on which you wish to deploy the AIM Dashboard.

  3. Select Import.

    You can then enter the authentication details as explained below as part of the web deploy process.

WS-Federation Authentication

The WS-Federation option allows the AIM Dashboard to be authenticated by any Identity Provider that supports the WS-Federation specification. For example, ADFS. This option does not support authentication for the following:

  • Identity Delegation to the Workhub API or the AIM Dashboard Viewer

  • Digital Asset Connector (DA Connector)

Configuring AVEVA Asset Information Management to Use WS Federation Authentication

To configure AIM to use a WS-Federation enabled Identity Provider, you must disable the Windows authentication option and ensure that the AIM runs under the HTTPS protocol.

All the settings are prefixed with avevanet: and are added or modified in the appSettings section of the AIM Dashboard web.config file, that is:

<add key="avevanet:*" value="*" />

Note: It is recommended that you configure all the settings via the Web Deploy Package for AIM Dashboard.

Parameter

Description

authenticationProvider

Set as WS-Federation

applicationRootUrl

The root URL of the application. For example: https://mydashboardapps.contoso.net/HelloWorld

authorityUrl

The URL of the WS-Federation authority. For example, if you have an ADFS instance and its URL is https://myadfs.contoso.net/, that URL is your authorityUrl.

dashboardClientId

An alternative ID to use for the AIM Dashboard client application when talking to the Identity Provider. The default ID is AVEVA.NET.Dashboard.

Configuring ADFS

If you are using ADFS as the WS-Federation identity provider, you must configure AIM as a relying party.

For that, you must add a Relying Party Trust with the following settings:

  1. Set the Relying Party Identifier for AIM Dashboard as the applicationRootUrl plus /identity. For example, if the URL to your AIM Dashboard site is https://mydashboardapps.contoso.net/HelloWorld, then while adding the relying party identifier, the URL should be https://mydashboardapps.contoso.net/HelloWorld/identity.

  2. Set the Relying Party Identifier and add a WS-Federation Passive Endpoint for the application URL plus the identity path. For the example above, the site https://mydashboardapps.contoso.net/HelloWorld has Relying Party Identifier and WS-Federation passive endpoint as https://mydashboardapps.contoso.net/HelloWorld/identity.

  3. Add the following claims for the AIM Relying Party:

    Name – Used as the name displayed under profile information in the AIM UI.

    Name ID – A unique name identifier that is used internally.

    Both the claims can have the same value.

    Note: If you have an existing AIM installation, the user name used should be the Windows account name (that is, CONTOSO\username). The same user is used within the application while switching to the WS-Federation authentication option. The Name and Name ID claims must be set as Windows account name.

    In This Topic
    TitleResults for “How to create a CRG?”Also Available in