Map a role or client ID to a PI identity using OIDC

You can map an AVEVA Identity Manager (AIM) role or client ID to a PI identity using Open ID Connect (OIDC) instead of Windows authentication. This feature enables you to use claims-based authentication to map a role or client ID to a PI identity in PI System Management Tools (SMT).

The basic process for mapping a role or client ID to a PI identity is very similar to mapping a Windows user or group to a PI identity. The only difference is selecting the OIDC authentication method during the process. In PI SMT, claims-based authentication using OIDC is restricted to the creation of PI Identity mappings. All other PI SMT plug-ins and tools use Windows authentication.

Prerequisites:

• Your AIM Server account must be a member of the Application Access (AA) administrator group on the AIM server. If you try to sign on to the AIM server during this procedure using an account that is not a member of the AA administrators group, you cannot complete the procedure.

• Before you can map a role to a PI identity, Data Archive and the AIM server must be configured. See Data Archive installation and upgrade.

To create a new mapping from a role or client ID to a PI identity using OIDC, complete these steps:

1. Open the PI SMT Administrator window.

2. In the System Management Tools pane, select Security, then select Mappings and Trusts.

   A list of the current mappings is displayed in the Mapping tab.

3. Do one of the following:

   • Right-click in the list view of the Mappings tab.

   • Select the Add New Mapping icon (directly above the Mapping tab).

     The Add New Mapping dialog opens.

4. Select the Open ID Connect option.

   

5. Retrieve roles or client IDs from the AIM server for mapping, and choose them in the Select an OIDC Mapping dialog. Once this step is complete, proceed to the Add New Mapping dialog to finalize the mapping process.

   1. In the Add New Mapping dialog, select next to the Role text box, or Client Name text box. A connection message displays to notify you that PI SMT is attempting to connect with the AIM server.

   2. Once the connection is made, enter your credentials in the sign on page, and click Sign in. The browser displays a message that sign on was successful.

      Note: If the connection is not made in a reasonable amount of time, click Cancel to stop the connection request and try again.

      The Select an OIDC Mapping dialog opens populated with the list of configured roles or client IDs.

   3. Select the mapping type, and use the Filter text box to search for specific roles or client IDs. Double-click your selection, and then click OK. This dialog lists only the current roles or client IDs that you have access to that can be mapped as a PI identity.

      Tip: Select Role mapping to manage access for groups of users. Select Client ID mapping to manage access for specific registered client applications (Client IDs) in AIM. Only Client IDs registered with AIM are available for selection.

      

6. Return to the Add New Mapping dialog which now shows your selections either in the Role text box, or in the Client name text box.

7. In the Description text box, enter a description for the new PI identity mapping.

8. In the Add New Mapping dialog, select next to the PI Identity text box. This action prompts a new window to open, displaying the Select PI Identity, PI Group, or PI User dialog. Double-click on your choice, and then click OK to confirm your selection.

   

9. Return to the Add New Mapping dialog, click Create.

   The new PI Identity mapping is automatically added to the Mapping tab in PI SMT.