Single Sign On

The WinCC OA also provides the Single Sign On feature. The feature is valid per workstation per user group.

If Single Sign On is used, users will not be required to enter user name / passwords for signing on to systems once they have been authenticated with the Windows Active Directory (AD) or with the Linux user administration (PAM).

The Single Sign On feature does not exist for the user root.

The Single Sign On feature cannot be used when the user was not logged in before.

A user switch is currently not possible in combination with SSO. You can implement an own solution based on Login Framework.

CAUTION: The server-side authentication is not supported when Single Sign On is used.

For any user to log in via Single Sign on, delete the password of the user in the internal data point _Users (empty string). For a detailed description, see chapter setUserId().

CAUTION: that if you change your password in Windows, WinCC OA recognizes the password change only when you log in correctly. If you use the Single Sign On to log in, this is not counted as a login since you do not enter a password. This means that if you check the new password in a script, the check fails unless you log into WinCC OA "normally".

If a workstation uses the same system name as the Active Directory, authorization problems can occur when using Single Sign On.

Authentication changes in Active Directory are also updated into WinCC OA if the script "updateUserGroups.ctl" (C:\Siemens\Automation\WinCC_OA\<version>\scripts) is running on the server. If, for example, group assignments of a user are changed in the Active directory, the changes are automatically updated to the WinCC OA database. The changes are automatically updated for all (active) users within the WinCC OA database after a user has logged in. Additionally a cyclic update mechanism can be used (see checkADAuthIntervall config entry). By default, this cycle is set to 60 minutes. The user must have the authorization to query AD user information of other users.

Note: Under Linux user administration, the "colon 00" (:0.0) part in the display name of the workstation authorization must be deleted when using Single Sign On.

Configuration Single Sign On

The authorization level 32 is the bit for the Single Sign On (SSO) feature. If the Single Sign On permission is activated, a password identification is not required during the project start and the current user will be logged in. Specify the authorization for the Single Sign On via the workstation authorization.

When using Single Sign On in the extended mode of the UI manager (-extended) or if the user has the permission bit 4, note that an automatic logon does not take place and manual confirmation is required.

If user modifications have been made in the Windows Active Directory (AD) and SSO is used without Kerberos, these have to be updated in the WinCC OA user administration manually. When you are using SSO with Kerberos, the changes from the AD will be detected by WinCC OA and automatically updated.

Login Single Sign On

In order to use Single Sign On, proceed as follows:

  1. Change from the WinCC OA user administration to the OS Auth - Windows user administration. See also chapter OS Auth. User Administration.
  2. Specify the group rights via the group administration panel and the authorization for the Single Sign On via the workstation authorization.

  3. Log into WinCC OA as Windows user. The system detects that the user does not exist yet and creates the user (see OS Auth. User Administration).

  4. Log into WinCC OA via the login panel. You are automatically logged in and you do not have to enter the password.