Best Practices and Limitations

Before you configure Proficy Authentication, ensure to read the best practices that you must follow and some limitations to be considered.

Best Practices

  • CIMPLICITY Webserver Port

    For the Proficy Authentication to work, CIMPLICITY Webserver must be running on the default port, that is, 9443.

  • Optimal Token Size

    As a security best practice and to minimize the size of JWT token, ensure that the scopes of the token are relevant with the intended service of that token.

  • Optimal Token Header Size and Group Name

    Since JWT tokens are generated based on the combination of character length of all the mapped groups, if the character length of the group name exceeds, then the request's header size will also increase. Ensure to keep the group names length within 255 characters.

  • Effective Security Control

    For effective security control, as an administrator, ensure that you provide the users with the relevant scopes to which they are entitled to. This will limit the users from having access to all Proficy Authentication groups across all the applications and services.

  • Trust the Root Certificate

    When using Proficy Authentication, ensure that Proficy Authentication root certificate is installed and trusted on all the viewer nodes.
    Note: Once Proficy Authentication is trusted on server, you can find the uaa_root_cert.crt file in the <Installdirectory>\admin_data\pauth_pki\trusted folder.
Limitations
  • For Proficy Authentication to work, CIMPLICITY project name and Project ID must be same.
  • Proficy Authentication supports group names with a length of 255 characters and Apache keeps the header size limited to 8190 bytes. As mentioned in the best practices section, ensure to maintain an optimal token header size.
  • Proficy Authentication is not supported for CIMPLICITY Configuration security.
  • Configuration of security using Proficy Authentication is not supported.
  • To access the screens on Webspace using Proficy Authentication credentials, you must enable Mixed Authentication along with Proficy Authentication in the Project Properties.