Windows Integrated Authentication / Auto-login

Windows Integrated Authentication is a new capability added to Proficy Authentication Service from version 2.5.

When Windows Integrated Authentication or Auto-login is enabled, users logged into any Windows machine in a domain are able to access Operations Hub and/or hosted Proficy applications without the need to type in their Windows credentials again. The same Windows logged-in user context is used for authenticating the user. Based on the user's privileges, access is provided to Operations Hub and/or its hosted applications.

This document describes the steps to configure the 'Windows Integrated Authentication' functionality in an instance of Proficy Authentication service. After configuring auto-login, when you attempt to log into Operations Hub / hosted Proficy applications, the Select Authentication screen appears (see figure below) to choose between Standard Proficy Authentication Login or Active Directory (Windows) Integrated Login.

If you choose Active Directory (Windows) Integrated Login, the authentication option will follow the new flow and you will not be prompted for providing credentials. Whereas choosing Standard Proficy Authentication Login will take you through the normal authentication flow and prompt for your credentials.

Note:
  • The auto-login capability is only for authenticating the users. For authorization or access permissions, you have to configure LDAP IDP. To accomplish this, select the same active directory service / LDAP server, which brings the authentication service node, application accessing nodes in the network, and the users seeking auto-login, into the same Windows scope.
  • For configuring LDAP IDP, refer to Add LDAP Identity Provider.
Standard Proficy Authentication Login Choose this option if you want to use the standard login (username/password or SAML).

This is a regular login, which is based on username/password, including LDAP, or SAML.
Active Directory (Windows) Integrated Login This option appears only if Windows auto-login is configured.

This allows to automatically log into Operations Hub using the user's domain login session that was used to log in to Proficy Authentication.
Don’t ask me again Select this check box, if you don't want to display the Select Authentication screen every time you login.

The system remembers the last selected authentication (between regular and autologin) and applies it for future logins.

With Don’t ask me again enabled, you can clear the last selected authentication only during logout.

Select You may also click here to clear the previously selected authentication option to clear the saved selection. Once cleared, the clearing option is hidden from the logout screen.

Select click here to login again to return to the login page.
Defer Select to dismiss this screen, and skip selecting an authentication. You have the choice to select authentication next time you login.
To configure Windows Auto-login, an administrator performs the following tasks only for the first time. The first task is performed on all the participating nodes (Active Directory service node, Proficy Authentication service node, and the client nodes). The second and third are performed on the Windows Active Directory Server machine. The fourth task is performed on the machine where Proficy Authentication is installed.
  1. Configure Security Policy.
  2. Create a service principal for your user account.
  3. Generate the Kerberos keytab file.
  4. Update the Proficy Authentication .yml file.
  5. Add LDAP Identity Provider for the Active Directory service used in Steps 2 and 3.
    Note: Users logging into DPM products using Windows Auto-login are authorized / get the scopes based on the LDAP configuration performed in Step 5.
To configure the browser settings for Windows Auto-login, the following task is performed on the end-user machine.
Figure 1. Windows Auto-login - Deployment Topology and Configuration