Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

CONNECT

TABLE OF CONTENTS

Implement federation

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedAug 21, 2025
  • 2 minute read

By default, CONNECT provides access to non-federated users with user accounts, passwords and multifactor authentication (MFA) all managed directly with CONNECT.

However, if you have a supported identity provider (IdP) you can request federated authentication for CONNECT through your own single sign-on (SSO) system. This can enable your users to have seamless and secure access to CONNECT, without requiring them to maintain separate credentials.

Federation is available to enterprise customers who are the registered owner of the email domain of their users.

Note: Multifactor authentication for federated users must be configured with your IdP. For more details about MFA, see Enforce multifactor authentication.

There are two federated authentication modes available:

  • Domain-based federation

    All users from your configured domains will use their federated logins to log in to any CONNECT account. This is the most frequently used mode.

  • Connection code federation

    All users of your CONNECT account are authenticated through your identity provider, even if they would be authenticated through another method by default. This is an advanced configuration intended for when third parties are invited as guests into your identity provider.

To start the federation process, read the documentation in this section first. When you are familiar with the requirements, raise a support request with AVEVA Technical Support to initiate the process..

Operational considerations

Consider the following when you configure federation with CONNECT:

  • Only authorized IT or security admins should initiate and manage federation.

  • By default, federation is configured at the domain level, and applies to all users in the domain. In addition, federation also applies to every CONNECT service at that domain.

  • When federation is enabled at the domain level, all users in the domain will be required to sign in with their corporate credentials. There is no option to exclude individual users.

  • Additional IdP configuration, such as MFA, should be considered for the domain. We recommend you configure MFA for your federated users to further secure your account. CONNECT does not provide MFA services for federated users directly.

  • Ensure configuration aligns with your policies and appropriate data protection regulations.

  • Federation linked to CONNECT does not extend to other functions, such as the AVEVA Support site or Microsoft Teams.

Supported identity providers and protocols

CONNECT can delegate user authentication to your chosen IdP if it supports the following authentication protocols:

  • Entra ID

  • SAML 2.0

  • OpenID Connect

For more detailed information on these providers, see Domain federation prerequisites and requirements.

In This Topic
TitleResults for “How to create a CRG?”Also Available in