Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Vision™

Select an authentication mode and identity AF server

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
TABLE OF CONTENTS

Select an authentication mode and identity AF server

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedOct 23, 2025
  • 4 minute read

On the Identity tab of the Security page, select the AF server from which PI Vision obtains identities for authorization and display sharing, select the authentication mode, and register the PI Vision server with the AVEVA Identity Management server.

Select an identity AF server and authentication mode

  1. In the Identity AF Server dropdown, select the name of the AF server from which PI Vision obtains the identities that it uses for authorization and display sharing.

  2. Select the PI Vision user authentication mode used in your environment.

    • Windows only

    • OpenID connect only

    • OpenID Connect and prompt for Windows credentials when required: Select this mode if your environment has a mix of systems using OpenID Connect and Windows authentication. This allows users to connect to systems that still use Windows authentication, but has some limitations:

      • When using this mode, the Assets pane in AVEVA PI Vision will show all allowed AF databases in the list instead of hiding databases that the user does not have access to; this is done to prevent unnecessary Windows authentication prompts. If you have numerous AF databases and each user interacts with only a few databases, be aware that the Assets pane may appear cluttered for users.

      • Searching for Events with an Event Attribute value filter or configuring a collection or symbol to use Asset Search Criteria with Asset Attribute value filters will return the expected results only if the AF Server and PI Data Archive use the same authentication mode. For example, if you perform an Asset search within an AF Server that uses OpenID Connect while filtering on an attribute value that references PI Point data, the search will not return the expected results if the PI Data Archive accepts only Windows authentication.

        Note: Before you can select any of the OpenID Connect options, the Identity AF Server needs to be configured for OIDC authentication.

  3. If you selected OpenID connect only, select your preferred Connection to PI Data Archive and AF Servers option:

    • Use Windows identity of IIS application pools: Users authenticate with OpenID Connect, and the PI Vision application authenticates with Windows.

    • Use OpenID Connect with Process Identity Client ID <client ID>: Users and the PI Vision application both authenticate with OpenID Connect.

      If you selected either of the other authentication modes, Use Windows identity of IIS application pools is automatically selected.

  4. If you selected the Windows only authentication mode, select Save and proceed to Configure security. If you selected another authentication mode, continue to Configure OpenID Connect authentication below.

Configure OpenID Connect authentication

  1. If the PI Vision server has already been registered, select Save. If the PI Vision server has not been registered, select whether to create a new registration or use an existing registration.

  2. If you selected Create a new registration:

    1. The PI Vision URL field is automatically populated with a PI Vision URL. Select Add PI Vision URL to add any other URLs and URL variations (for example FQDN, hostname, localhost, and aliases) used to access this installation of PI Vision.

      Note: You cannot add URLs through the PI Vision Administration site after registration is complete. If you need to add URLs after the PI Vision server has been registered, use the registration utility (RegisterPIVisionIdentityClient.exe) to delete the registration, then create a new registration. Alternatively, an administrator can add the URLs on the AVEVA Identity Management server.

    2. Copy the provided registration utility command and run it in the command prompt on the PI Vision server.

      After the registration utility command runs successfully, the message Identity client registered appears in the command prompt, followed by the identity client details.

      Note: To see all options for the registration utility, run the following command: "%PIHOME64%PIVisionUtilities\RegisterPIVisionIdentityClient.exe" /?

    3. Select Save on the Identity tab of the Security page.

      The client registration details appear.

  3. If you aren't creating a new registration, select Use an existing registration. This option is used if there are multiple instances of PI Vision, such as when using a load balancer. If you selected this option:

    1. Enter the appropriate values from the Identity Client Registration on the AVEVA Identity Management server.

    2. Select Save.

      The client registration details appear.

    Grant PI Vision Process Identity permissions using OpenID Connect

    If you selected the OpenID connect only authentication mode with the Use OpenID Connect with Process Identity Client ID option, proceed to Configure PI Vision Process Identity for OpenID Connect to configure a mapping for the PI Vision Process Identity on each AF and PI Data Archive server from which PI Vision accesses data.

    Update PI Vision registration information

    After a PI Vision upgrade is applied, the PI Vision registration information may need to be updated. If the PI Vision registration information is out of date, the following message will appear on the Identity tab of the Security page: Registration information is out of date and needs to be updated. Follow the instructions provided on the page to update the PI Vision registration.

    In This Topic
    TitleResults for “How to create a CRG?”Also Available in