Configure AVEVA Identity Manager for redundancy

After you install AVEVA PCS 8.2.1 for the PI System, use the Configurator utility to set up AVEVA Identity Manager (AIM) for your PI Server environment. The set up includes:

• Designating a System Management Server (SMS)

• Configuring Redundant Single Sign-On (RSSO) servers

• Federating with an identity provider

• Configuring certificates

For more information about the Configurator utility, see Learn about the AVEVA Identity Manager.

For a conceptual overview of how AIM redundancy and client authentication failover work, see Redundant SSO Handling for AF Clients.

Prerequisites

• Install PCS on all AIM nodes.

• Sign in with an account that is a member of the aaAdministrators group.

• Run the Configurator utility as administrator.

• Synchronize clocks on all servers using the Network Time Protocol (NTP).

Existing AIM environments

If you are adding a Redundant Single Sign-On (RSSO) server to an existing AIM environment, you may only need to configure the RSSO node by selecting the checkbox and entering the SMS hostname or IP address. See Step 5, Configure redundant SSO servers (RSSO) in the procedure below.

Procedure (First-time setup)

1. Designate the System Management Server (SMS):

   1. Sign in to the Windows machine you want to use as the SMS node.

   2. On the SMS node, open the Configurator utility.

   3. Select This machine is the System Management Server.

   4. Select Configure and follow the guided steps.

      Important: Only one SMS can be assigned per PI Server environment. The SMS manages configuration and issues authentication tokens.

      See also: Configure the AVEVA Identity Manager.

2. Configure identity federation:

   5. In the Configurator utility, select the Authentication tab.

   6. Choose your identity provider (IdP):

      • CONNECT (recommended)

      • Microsoft Entra ID

   7. Follow the prompts to complete the federation.

   See also: Configure CONNECT as the external identity provider and Register CONNECT endpoints with AIM.

3. Configure certificates:

   8. Open the Certificates tab in the Configurator utility.

   9. Take one of the following actions:

      1. Use the auto-generated certificate.

      2. Import a trusted .pfx certificate.

   10. Ensure all clients and servers trust the AIM server certificate.

   See also: Option 1: Use the AIM certificate or Option 2: Import a certificate using the Configurator utility for certificate setup options.

4. Verify that all clients and servers in the environment trust the AIM server certificate.

5. Configure RSSO servers:

   11. Log in to the Windows machine you want to use as the redundant node.

   12. On each RSSO node, open the Configurator Utility.

   13. Select Configure this node as a Redundant SSO Server.

   14. Enter the hostname or IP address of the SMS.

   15. Select Configure, then complete the guided steps.

   16. Repeat these steps for each RSSO node.

   Important: If you convert an existing RSSO server that is currently used by an AF Client application back into an SMS server, connections to that AIM server will no longer work. The RSSO server may still appear in the list temporarily. To ensure updates are retrieved from the AF Server or Data Archive, refresh the list and then either wait 24 hours for changes to take effect or restart the AF Client application.

6. Verify the deployment:

   On each node, open the Configurator utility, and verify that the AIM service status shows the node is connected to the SMS.

Troubleshooting

You can use the piartool utility to verify that RSSO servers are discoverable in your environment.

piartool -rsso

This command is useful for confirming that AIM is correctly configured and that the client machine can detect RSSO servers. It’s especially helpful when troubleshooting OIDC authentication issues.

For more information see, piartool command-line options.