Transcription
Proficy Authentication 2022User GuideGE DigitalProficy Historian and Operations Hub: Data Analysis in Context1
Proprietary NoticeThe information contained in this publication is believed to be accurate and reliable. However, General Electric Company assumes noresponsibilities for any errors, omissions or inaccuracies. Information contained in the publication is subject to change without notice.No part of this publication may be reproduced in any form, or stored in a database or retrieval system, or transmitted or distributed in anyform by any means, electronic, mechanical photocopying, recording or otherwise, without the prior written permission of General ElectricCompany. Information contained herein is subject to change without notice. 2022, General Electric Company. All rights reserved.Trademark NoticesGE, the GE Monogram, and Predix are either registered trademarks or trademarks of General Electric Company.Microsoft is a registered trademark of Microsoft Corporation, in the United States and/or other countries.All other trademarks are the property of their respective owners.We want to hear from you. If you have any comments, questions, or suggestions about our documentation, send them to the following emailaddress:[email protected]
ContentsChapter 1. Proficy Authentication . 4About Proficy Authentication.4Set up Proficy Authentication.4Log in to Configuration Hub. 9Application Overview.10Enable SAML.11Configure Okta as SAML IDP.12Manage Identity Providers. 16Configure LDAP Identity Provider. 16Configure SAML Identity Provider. 18Enable Multi-Factor Authentication. 20Modify LDAP Identity Provider.22Modify SAML Identity Provider. 25Delete Identity Provider. 26Manage Groups. 26Overview of iFIX Groups in Proficy Authentication. 26Overview of Historian Groups in Proficy Authentication.27Create Groups. 28Modify Groups.29Map Groups. 30Add/Remove Users in a Group. 33Add/Remove Sub-Groups in a Group. 34Delete Group.35Manage Users. 35Create Users. 35Add/Remove Groups for a User. 38Reset User Password. 39
Contents iiiDelete User. 39Windows Auto-login.40Configure Security Policy. 41Create Service Principal. 43Generate Keytab File.44Update YAML File. 47Configure Browser. 48Troubleshooting Error Logs.48
Chapter 1. Proficy AuthenticationAbout Proficy AuthenticationProficy Authentication (UAA) provides identity-based security for Proficy based applications and APIs.It supports open standards for authentication and authorization, including Oauth2. You can configureProficy Authentication from Configuration Hub.When a user is created or deleted in a product that uses Proficy Authentication, the associated useraccount is created or deleted in the Proficy Authentication instance, respectively.Several Proficy products use Proficy Authentication, including Historian, Plant Applications, andOperations Hub. To use Proficy Authentication, you must install one of these products. Each productcan install an independent instance of Proficy Authentication, or it can reuse an existing instance ofProficy Authentication which was previously installed by another Proficy product. When more than oneproduct uses the same instance of Proficy Authentication, this is called a shared or common ProficyAuthentication.Shared Proficy Authentication (UAA) means that if you have a Proficy product installed that uses ProficyAuthentication, additional Proficy products installed after that initial product can also share that existing,already configured Proficy Authentication architecture.Proficy Authentication can additionally be configured to use an external identity provider. This includesidentity providers which use Lightweight Directory Access Protocol (LDAP) or Security Assertion MarkupLanguage (SAML). When you integrate Proficy Authentication with an external identity provider, youcan provide the users and groups from that identity provider with access to Proficy products and theirfeatures.Set up Proficy AuthenticationSet up Proficy Authentication in Configuration Hub.The following steps describe how to set up Proficy Authentication in Configuration Hub. Setting upauthentication provides access to all the products (Historian, iFIX) registered with Configuration Hub. Youuse the same Proficy Authentication server to authenticate.1. Double-clickdesktop icon to launch the Configuration Hub application.2. Select Setup Authentication.
Proficy Authentication 1 - Proficy Authentication 5The Configuration Hub Administrator Credentials screen appears.3. Enter the details for logging in to the Configuration Hub application.FieldClient IDDescriptionThe client ID provided during installing Configu ration Hub. Example: confighubadminClient SecretThe client secret provided during installing Con figuration Hub.4. Select Verify.If the credentials are correct, the Register with Proficy Authentication screen appears.5. Provide these details to configure the Proficy Authentication application.These fields are populated automatically if you opted for installing Proficy Authentication alongwith Configuration Hub. You have the option to edit and update the details.FieldServer Name (Fully Qualified Name)DescriptionThe host name of the machine where ProficyAuthentication is installed.Enter a fully qualified domain name. For exam ple, desktop-sahfg5f.logon.ds.ge.com
Proficy Authentication 1 - Proficy Authentication 6FieldDescriptionRefer to step 6 to establish a trust with thisserver connection.Server PortThe port number to communicate with the hostmachine. The default port where UAA is in stalled is 443.The server connection is automatically testedon entering the port. You can also select Testto test the connection.Use Configuration Hub Administration creden Select this check box to populate the same lo tials for Proficy Authenticationgin credentails you entered for ConfigurationHub Admin account.If you want to use unique login credentials forProficy Authentication, clear the check box andenter CLIENT ID and CLIENT SECRET.Proficy Authentication Client IDThe administrator client identifier that has per mission (authority) to log in to Proficy Authenti cation.Proficy Authentication Client SecretThe administrator client secret to log in to Profi cy Authentication.
Proficy Authentication 1 - Proficy Authentication 76. Select Not trusted to establish a trust connection between Configuration Hub and ProficyAuthentication.The Certificate Details screen appears.7. Select Trust.The trusted certificate(s) are added to the windows store on the machine where Configuration Hubis installed.
Proficy Authentication 1 - Proficy Authentication 88. Select Register.9. Select Ok.The Configuration Hub Login screen appears. Refer to Log in to Configuration Hub (on page9).Configuration Hub is set up as a client for Proficy Authentication. The following default user is created tolog in to the Configuration Hub (on page 9) application.
Proficy Authentication 1 - Proficy Authentication 9User IDch adminPasswordThe client secret you entered for Proficy Authenti cation.Log in to Configuration Hub (on page 9) and perform operations related to Proficy Authentication.Log in to Configuration HubLog in as a user or client.Set up Proficy Authentication (on page 4)You can log in to Configuration Hub with user credentials or as a client administrator (on page 10).1. On the Configuration Hub Login screen, select Continue to Login.2. Enter your user login credentials.3. Select SIGN IN.You are now logged in as a user.
Proficy Authentication 1 - Proficy Authentication 10Log in as Client Administrator1. On the Configuration Hub Login screen, select Login as Proficy Authentication (UAA) admin.2. Enter Admin Client ID and Client Secret.3. Select SIGN IN.You are now logged in as a client.Application OverviewProficy Authentication provides identity-based security for Proficy based applications and APIs.You can perform the following tasks in Proficy Authentication: Configure UAA/LDAP/SAML identity providers Create new user accounts
Proficy Authentication 1 - Proficy Authentication 11 Create new group accounts and add users/other groups as members Perform UAA/LDAP/SAML group mappingDisplaying Data ColumnsYou can show or hide columns within the Proficy Authentication application.1. Selectfor the respective data. The Column Chooser dialog appears with a list of availablecolumns.2. Select the check box for the column you want to show. To hide a column, clear its check box.3. Close the dialog to apply the changes.Sorting DataThe sorting option appears when you select a data column. Selectto sort data in an ascending order. Selectto sort data in a descending order.Filtering DataThe filtering option appears next to each data column.1. Selectfor the data you want to filter. A screen appears with a list of existing data in thatcolumn.2. Select the check box for the data you want to filter. To undo filtering, you can Select All.3. Select OK to apply.Searching DataUse the search option to seacrh for existing accounts in Proficy Authentication. You can also filteraccount details using search keywords.Enable SAMLThis topic describes how to configure SAML identity providers for Proficy Authentication.To enable SAML for Proficy Authentication, you will need to download the Proficy Authenticationservice provider's metadata file. Visit https://enterFQDN of the machine where Proficy Authentication is
Proficy Authentication 1 - Proficy Authentication 12installed/uaa/saml/metadatato download the saml-sp.xml file. This file contains all the information tofulfill the mandatory details for generating the metadata XML file from identity providers.See Configure Okta as SAML IDP (on page 12).Configure Okta as SAML IDP1. Create an account in Okta.a. Visit https://developer.okta.com/.b. Sign up for an Okta account using your email address.2. Log in to your newly created Okta account.3. Navigate to Applications Applications.4. Select Create App Integration.The Create a new app Integration screen appears.5. Select SAML 2.0, then select Next.
Proficy Authentication 1 - Proficy Authentication 13The Create SAML Integration screen appears.6. Under General Settings, provide a name and logo for your application, then select Next.7. Under Configure SAML, fill out these details:Single sign on URLUse the dowloaded Proficy Authenticationmetadata file (on page 11) saml-sp.xml toget the URL for this field. It should look some thing like this:
Proficy Authentication 1 - Proficy Authentication 14Audience URI (SP Entity ID)Refer to saml-sp.xml to get the logout URL. Itshould look something like this:Enable Single Logouta. Select Show Advanced Settings.b. Select the check box for Allow applica tion to initiate Single Logout.c. Enter Single Logout URL. Refer to samlsp.xmlto get the logout URL. It shouldlook something like this:Attribute Statements (optional)Add user attribute statements such as email,first name, and last name as shown here:Group Attribute Statements (optional)Add group attribute statements such as groupAand groupB as shown here:Note:The setting option mentioned in this topic is the minimum requirement for setting upthe SAML identity provider. Refer to the Okta documentation for information on usingadditional settings.8. Select Next.9. Provide your feedback and select Finish.
Proficy Authentication 1 - Proficy Authentication 15Your application is created.10. Under Sign On, select Identity Provider metadata.The metadata opens in a new tab.11. Save the metadata as an .xml file.Use the metadata xml file to configure a SAML identity provider (on page 18) in ProficyAuthentication.12. Under Assignments, you can assign the app to groups and individual users.If there are no users/groups, navigate to Directory People to create and activate new users/groups in Okta.
Proficy Authentication 1 - Proficy Authentication 16Manage Identity ProvidersConfigure LDAP Identity ProviderYou can add more than one LDAP connection.Log in to Configuration Hub (on page 9) with user/client having write access for admin and clients.1. Go to Proficy Authentication Security Identity Provider.2. Selectand then select LDAP.The LDAP Identity Provider screen appears.3. Enter the following details:FieldURLDescriptionThe URL of the LDAP server. The trailing slash(/) must be included at the end of the URL.You can use LDAP with or without secure au thentication in the following format: Insecure port:ldap://100.100.100.2:389/ Secure port: ldaps://100.100.100.2:636/You can also use a fully qualified domain nameinstead of an IP address.For a secure port, provide user credentials.Bind User Distinguished NameDistinguished LDAP user name.Describes the part of the hierarchy the userbelongs to on the active directory network.
Proficy Authentication 1 - Proficy Authentication 17FieldDescriptionCN Common Name. DC Domain Component.OU Organization Unit Name.The CN and DC is typically required, and the OUis optional.For example: CN JohnSmith,OU Factory,D-C Company,DC COMPasswordThe password to log in to the LDAP server ifyou choose secure authentication.TestTests the connection to the LDAP server. If theURL and login details are correct, you will re ceive a test successful message.Skip SSL VerificationThis option appears only when you choose asecure port for LDAP.Select this check box if you want to skip estab lishing a secure connection between client andserver for exchanging LDAP data.Clear the check box to allow SSL verification.Refer to step 4.4. If you choose to secure LDAP, selectfor SSL verification.A message appears when the security certificate is trusted and added to the store.If the certificate is not added automatically, a message appears allowing you to manually add it.
Proficy Authentication 1 - Proficy Authentication 18Select Browse to navigate and choose the server certificate from your local system.5. Optional: Selectto view the certificate.6. Select Save.The LDAP identity provider is created.Configure SAML Identity ProviderYou can add multiple SAML connections.Log in to Configuration Hub as an administrator.1. Go to Proficy Authentication Security Identity Provider.2. Select, then select SAML.
Proficy Authentication 1 - Proficy Authentication 19The SAML Identity Provider screen appears.3. Enter the following details:FieldMetadata LocationDescriptionSelect Metadata XML to upload the XML doc ument and populate the location URL in thisfield. The XML file contains the metadata tointeract with SAML enabled identity providers(Azure, ADFS, or Okta). Refer to Configure Oktaas SAML IDP (on page 12).NameName of the SAML identity provider.Attribute NameThe attribute that contains the group member ship information about a user in a SAML asser tion.Name IDSAML Name ID and associated fields that youwant to use in a link test.Enable SAML LinkSelect the check box.
Proficy Authentication 1 - Proficy Authentication 204. Select Save.The SAML identity provider is created.Enable Multi-Factor AuthenticationThis topic describes how to enable multi-factor authentication for users.Install the Google Authenticator app on your mobile device.Only administrators can enable multi-factor authentication (MFA) for users.Note:Enabling MFA also enables two-factor authentication for UAA and LDAP users as both the identityproviders have a common login entry point.1. Log in to Configuration Hub as an administrator.2. Go to Proficy Authentication Security Identity Provider.The existing list of identity providers appear.3. Select the UAA record for which you want to enable the multi-factor authentication.The option to enable MFA appears on the DETAILS panel under the MFA section.4. Enable the toggle switch for MFA.By default, MFA is disabled.
Proficy Authentication 1 - Proficy Authentication 21The multi-factor authentication for UAA is enabled.5. Select Authenticator.Currently, Google authenticator is the only available authenticator.6. Restart the GEProficy Authentication Tomcat Web Serverservice.7. Activate multi-factor authentication for user logins.You need to perform the following steps only for the first time for every user login.a. Log in to Configuration Hub with UAA user credentials.The MFA setup screen appears with a barcode.b. Open the Google Authenticator app on your mobile device and scan the barcode.
Proficy Authentication 1 - Proficy Authentication 22The authentication app validates the user login and displays a 6-digit code. Barcodescanning appears only for the first time validation for every user login.c. On your browser, select Next on the MFA setup screen.The code verification screen appears.d. Enter the 6-digit code in the passcode field and select VerifyYou are logged in successfully.Multi-factor authentication is enabled for both UAA and LDAP users.Modify LDAP Identity ProviderThis topic describes how to modify the existing details for the LDAP account.Configure LDAP Identity Provider (on page 16)1. Log in to Configuration Hub as an administrator.2. Go to Proficy Authentication Security Identity Provider.The existing list of identity providers appear.3. Select the LDAP identity provider.The existing information for the identity provider appears on the DETAILS panel.4. Selectto display the details in a pop-up screen.
Proficy Authentication 1 - Proficy Authentication 23The LDAP Identity Provider screen appears.5. You can modify the existing information and save the changes.6. To modify existing search criteria values, place your cursor and enter the new value for therespective criteria.Use these settings to enable the sub-directories in your search criteria.Search CriteriaGroup BaseExample ValueDescriptionOU Sales,OU Groups,OU Enter-Defines the starting point forprise,DC company,DC comthe LDAP group search in theactive directory tree.CN Common Name. DC Do main Component. OU Organi zation Unit Name. The CN andDC is typically required, and theOU is optional.If you use only DC Ge,DC com,timeout may occur due to slow
Proficy Authentication 1 - Proficy Authentication 24Search CriteriaExample ValueDescriptionsystem response. Use the ex act OU to avoid timeout.User BaseOU Sales,OU Users,OU Enter-Defines the starting point forprise,DC company,DC comthe LDAP group user search inthe active directory tree.If you use only DC pa,DC com,timeout may occur due to slowsystem response. Use the ex act OU to avoid timeout.User Filtercn {0}Allows the LDAP user (activedirectory user) to login withtheir display name. This is fieldis populated by default.sAMAccountName {0}Allows the LDAP user (activedirectory user) to login withtheir account name (Windowslogin name). This is field ispopulated by default.Group Filtermember {0}Retrieves the memberOf attributevalues for the specific user.This is field is populated by de fault.Max Filter10Defines the maximum depthfor searching the LDAP groups.The default value is 10.
Proficy Authentication 1 - Proficy Authentication 25Search CriteriaExample ValueDescriptionFor very large systems, set thevalue to 2 as it may impact sys tem performance.Modify SAML Identity ProviderThis topic describes how to modify the existing details for a SAML account.Configure SAML Identity Provider (on page 18)1. Log in to Configuration Hub as an administrator.2. Go to Proficy Authentication Security Identity Provider.The existing list of identity providers appear.3. Select the SAML identity provider you want to modify.The existing information for the identity provider appears on the DETAILS panel.4. Selectto display the details in a pop-up screen.The SAML Identity Provider screen appears.
Proficy Authentication 1 - Proficy Authentication 265. You can modify the existing information and save the changes.6. You can also modify items under OTHER SAML PROPERTIES section. Enter a new value to replacethe existing value.Delete Identity ProviderThis topic describes how to delete identity providers.Log in to Configuration Hub as an administrator.1. Go to Proficy Authentication Security Identity Provider.The existing list of identity providers appear.2. Select the identity provider you want to delete.Additional options appear under the ACTION column.3. Select, then Delete.A message appears to confirm the delete action.4. Select Delete.The identity provider record is deleted from the Proficy Authentication database.Manage GroupsOverview of iFIX Groups in Proficy AuthenticationProficy Authentication provides access to the following security groups for iFIX access:scada.fix shared IFIX PROFICY AUTH ADMIN, scada.fix.shared.APPLICATION DESIGNER,scada.fix.shared.OPERATORS, and scada.fix.shared.SUPERVISORS.The following descriptions explain the access provided for iFIX groups in Proficy Authentication.
Proficy Authentication 1 - Proficy Authentication 27 scada.fix shared IFIX PROFICY AUTH ADMIN: This group allows access to all iFIX applicationfeatures. Any Proficy Authentication user who is a member of this group will have privileges similarto a native iFIX ADMIN user (except the access to security areas). Proficy Authentication users whowant to directly log in to iFIX can use this group.This group is not available by default when you upgrade from iFIX 6.1 or 6.5. You must manuallycreate this group with all the iFIX application features as needed. scada.fix.shared.APPLICATION DESIGNER: This group allows a user to access Configuration Huband provides use of iFIX features such as iFIX connection, database, and model management.This group is not available by default when you upgrade from iFIX 6.1 or 6.5. You must manuallycreate the group with all the iFIX application features as needed. scada.fix.shared.OPERATORS: This group provides run mode only access for a user in iFIX. scada.fix.shared.SUPERVISORS: This group provides access to WorkSpace run and configuremode, as well as access to background task exit, iFIX system shut down, and iFIX system userlogin.Overview of Historian Groups in Proficy AuthenticationProficy Authentication provides access to the following security groups for Historian access:historian enterprise.admin, historian enterprise.user, historian rest api.admin, historian rest api.read,historian rest api.write, historian visualization.admin, historian visualization.user, ih archive admins,ih audited writers, ih collector admins, ih readers, ih security admins, ih tag admins,ih unaudited logins, and ih unaudited writers.The following descriptions explain the access provided for Historian groups in Proficy Authentication: historian enterprise.admin: Provides read/write access to Configuration Hub APIs. historian enterprise.user: Allows access to Configuration Hub APIs. historian rest api.admin: Provides read/write access to public REST API. historian rest api.read: Provides read access to public REST API. historian rest api.write: Provides write access to public REST API. historian visualization.admin: Provides access to Trend Client and the Web Admin console. historian visualization.user: Allows access to Trend Client. ih archive admins, ih audited writers, ih collector admins, ih readers, ih security admins,ih tag admins, ih unaudited logins, ih unaudited writers: Provides access to tables for theHistorian OLE DB provider.
Proficy Authentication 1 - Proficy Authentication 28Create GroupsThis topic describes how to create new groups in Proficy Authentication.Log in to Configuration Hub as an administrator.For example, you can create a group for users who perform the same task on the same resource.You can have a group of supervisors for each line such as, Supervisors LineA, Supervisors LineB,Supervisors LineC.1. Go to Proficy Authentication Security Groups.2. SelectThe Add Group screen appears.3. Enter the following details for the new group.FieldGroup NameDescriptionA unique name of the group that does notmatch with any existing Proficy Authenticationgroups. For example, Supervisors LineADescriptionA brief description of the group.
Proficy Authentication 1 - Proficy Authentication 294. Select Add.The group is created successfully.The newly created group is added to the list of groups on the Groups tab.Modify GroupsThis topic describes how to modify existing groups in Proficy Authentication.Log in to Configuration Hub as an administrator.You can modify a group to: Add/Remove Users in a Group (on page 33) Add/Remove Sub-Groups in a Group (on page 34) Map Groups (on page 30)1. Go to Proficy Authentication Security Groups.The existing list of Proficy Authentication groups appear.2. Use any of these options to open a group. Double-click the group name you want to modify. For the group you want to modify, from its ACTION column, select, then Edit.The group opens in a new tab.3. You can modify the following:TabMember (Users)DescriptionDisplays the list of users added to this group.Add/Remove Users in a Group (on page 33).
Proficy Authentication 1 - Proficy Authentication 30TabMappingDescriptionDisplays the list of mapped groups for thisgroup. You can add/remove mapped groups(on page 30).Member (Groups)Displays the list of sub-groups added to thisgroup. Add/Remove Sub-Groups in a Group (onpage 34).Map GroupsThis topic describes how to perform group mapping.Log in to Configuration Hub as an administrator.You can map any of the following to a Proficy Authentication group. The users belonging to these groupsgain access to Proficy Authentication, and become a member of the target group. UAA groups LDAP SAML groups1. Go to Proficy Authentication Security Groups.The existing list of Proficy Authentication groups appear.2. Double-click and open the group you want to map to UAA/LDAP/SAML groups.3. Select the Mapping tab.4. Map UAA groups.a. From the Identity Provider drop down list, select the UAA record.The groups from the UAA rec
Under Sign On, select Identity Provider metadata. The metadata opens in a new tab. 11. Save the metadata as an .xml file. Use the metadata xml file to configure a SAML identity provider (on page 18) in Proficy Authentication. 12. Under Assignments, you can assign the app to groups and individual users.
