Single Sign-On (SSO) using claims authentication in PI Vision

better to provide the functions: 1. Login the PIVision with remembered password 2. Force login the pivision with password 3. After enter 3 times wrong password, lock the account in 1 hour

How many years is this expected to be in CTP? From our contacts with customer support, I expect OSIsoft to have gathered enough experience (and it is working well enough) to finally officially support this.

Notification screenshots would also need to work with SSO, we currently have SSO set up with claims authentication (OIDC) and this doesn't work for PI notification email graphic screenshots.

Azure (B2B and B2C). Our company uses AAD wherever possible. On-prem is seen as legacy (although still heavily used!). We would switch internal users to AAD auth. And it would allow us to auth external users as well.

We use Open ID Connect with Okta to do multi-factor authentication and provide sign ins to PI Vision for external customers outside of our business network.

We currently use OneLogin as an identity provider but have not yet configured PI Vision to use OIDC. If PI Vision supported OIDC more natively it would allow us to more easily add multi-factor authentication and all of the other features that IDPs offer more easily to the process of logging into PI Vision. This would greatly improve our confidence in offering external logins as we are a Connected Services Partner. It would also add confidence to our end-users as multi-factor authentication is now seen as pretty normal.

First, I’d like to say that today we have a production environment running the claims-based authentication. We currently use Memority as Identity Provider for our whole company ecosystem (many protocols supported but for PI Vision we work with OpenID Connect). We publish the site from On Premise (seen as "legacy" or even "old IT") over the internet with this third party auth via enterprise-grade reverse proxy solution for several purposes: 1. Company Laptop - connect to PI Vision without mounting VPN on laptops when on mobility or Working From Home (especially during covid-like crisis). 2. Other Company devices - connect to PI Vision from phone/tablet that are not compatible with Windows Integrated Security, from anywhere without entering login/password. 3. Company BYOD - connect to PI Vision from any personal device without installing any third-party app/vpn. 4. Partners - share displays & data to partners without the need to provide them with full access to our AD domain nor a company workstation. 5. Last and not tested yet because of missing prerequisite but reaching PI Vision within a full PI System in Azure tenant context - still avoiding reverting to basic auth. As seen in a case today the only alternative provided is to use Azure AD Application Proxy (https://docs.microsoft.com/en-us/azure/active-directory/app-proxy/what-is-application-proxy). This is an entirely different solution than just claims-based authentication and requires an architecture study and risk analysis. Plus I’m not sure the 5th use-case could be covered by this solution. PS: As of today, our end-users do not know their own AD password.

There should be an option where PI Vision can be installed in a non-domain environment. Like if the PI Systems is setup behind DMZ using only local authentication.