OIDC Authentication in WinCC OA

The OIDC Authentication feature introduces support for the OpenID Connect® (OIDC) standard in WinCC OA, enabling integration with modern identity providers for secure, token-based user authentication.

Overview

The OIDC Authentication feature allows WinCC OA to authenticate users through OpenID Connect® (OIDC), an industry-standard protocol built on OAuth 2.0. This integration makes it possible to use third-party identity providers such as Keycloak, Microsoft Entra ID (Azure AD), or any other OIDC-compliant service.

By adopting OIDC, WinCC OA aligns with modern IT security practices and supports centralized authentication across distributed environments. Users can log in using their existing enterprise credentials, eliminating the need for locally managed passwords.

Purpose

The purpose of OIDC Authentication is to provide a unified and secure authentication mechanism for WinCC OA projects. It integrates with enterprise identity management systems and reduces manual user administration.

  • Centralized user and group management through corporate identity providers.
  • Compliance with organizational security and access control policies.
  • Support for single sign-on (SSO) across multiple clients and systems.

Integration Scope

OIDC Authentication supports both external identity providers and the internal WinCC OA OIDC provider, which can authenticate users from the _Users datapoint. This ensures compatibility and provides a fallback mechanism in case external identity providers are not available.

In the initial implementation, OIDC authentication is available for UI type managers, where user interaction is possible during login. Machine-to-machine authentication continues to use the Server-Side Authentication (SSA) framework with certificate-based login.

The OIDC feature reuses the existing AccessControlPlugin and SSA logic, ensuring a consistent integration with existing security mechanisms.

Conceptual Summary

When a project is configured for OIDC, authentication is performed using tokens issued by the identity provider. The system uses the standard OIDC authorization code flow as defined in RFC 8252.

After successful authentication, the identity provider issues tokens that contain verified user identity and role information. WinCC OA validates these tokens and engineers users and groups automatically based on the provided metadata.

Each project supports a single authentication type defined by the [general] authType configuration entry:

  • legacy – Client-side authentication
  • serverside – Server-Side Authentication
  • oidc – OpenID Connect® authentication

Projects configured for OIDC cannot mix with other authentication types, ensuring a consistent security model.

Benefits

  • Integration with enterprise identity systems for centralized access control.
  • Secure token-based authentication that eliminates password exchange.
  • Single sign-on for multiple WinCC OA clients and applications.
  • Scalability and maintainability across distributed systems.
  • Fallback capability through the built-in WinCC OA OIDC provider.

Compatibility

OIDC Authentication is supported starting with WinCC OA version 3.21. All systems in a distributed project must use a version that includes OIDC support.

Notice:
OpenID® and OpenID Connect® are registered trademarks of the OpenID Foundation.

Notes & Restrictions

Important limitations and requirements for using OIDC Authentication and related features in WinCC OA projects.

Version Requirements for Distributed (DIST) Systems

All systems in a distributed (DIST) environment must use WinCC OA version 3.21 or newer to support OIDC Authentication. Mixed-version environments are not supported for OIDC features.

UserID Synchronization in DIST Systems

To enable OIDC Authentication in Distributed systems, the configuration for UserID must be synchronized between systems by using the Dist-Management. This ensures that user identities are consistent across all nodes in the distributed system.

Following things need to be considered:

  • Dist Management needs to be properly configured on the master system.
  • Creating a user within a distributed system, that is not the master system, will automatically copy the user information (ID, name, group, etc.) when using OIDC.
  • When creating a new user on a system that is currently not connected to the master system, the new user cannot login until the connection is re-established.

OIDC behavior in Redundant Projects

After a redundancy switch, users must re-authenticate by entering their credentials again. Automatic session transfer is not supported.

In a redundant system, if one side is restarted, e.g. during a redundancy switch, while a remote OIDC provider is not available, it could lead to closing the UIs that used this, currently unavailable, OIDC provider to authenticate.

Upgrade Information: No Automatic Upgrade

There is no automatic upgrade process for OIDC Authentication in WinCC OA version 3.21. Existing projects must be upgraded manually if OIDC features are required.

Some projects can be upgraded to use OIDC Authentication, but this process must be performed manually and it cannot be guaranteed that all used features of earlier versions are compatible to OIDC Authentication.

Debugging

For additional debugging information the debug flag -dbg oidcauth can be added to the User Interface manager, the Control Manager running the HTTP-Server or the JavaScript manager running the WinCC OA Internal Identity Provider to enable additional log outputs and communication details.

Algorithms

Currently, Edwards-curve Digital Signature Algorithm (EdDSA) keys are not supported.