Home
User Management
All about authorization, authentication and login-customization.
OIDC Authentication in WinCC OA
The OIDC Authentication feature introduces support for the OpenID Connect® (OIDC) standard in WinCC OA, enabling integration with modern identity providers for secure, token-based user authentication.
WinCC OA User Interface Authentication by Using Keycloak
Configuring OIDC Authentication for WinCC OA Project
Follow these steps to configure your WinCC OA project to use OIDC authentication with Keycloak as the Identity Provider (IdP).

Version Information
Release Notes, Update information, Certifications and Frequently Asked Questions.
Concepts
Your first step into modern and powerful process visualization.
Deployment
Topics you need to know before using WinCC OA.
Security
Go beyond the norm in cybersecurity.
Engineering
Powerful tools for easy or complex engineering tasks.
Data Management
Classify, structure and archive your data.
Business Logic / Control
Endless possibilities in data processing for your projects.
Data Visualization
User interfaces, Trends and Reports for every purpose and device.
Southbound Interfaces
The process connection to the actual machines/sensors.
Northbound Interfaces
Your portal to the cloud or supervising systems.
Web Connectivity / Network Interfaces
Data exchange, APIs and web technologies
User Management
All about authorization, authentication and login-customization.
- User Administration
  The WinCC OA user administration provides important features for controlling users that use the system. Security is an important issue in the automation technology when controlling highly sensitive systems and it is of utmost importance that the users of the system have only access to the specified area of operation. With the WinCC OA user administration, you can administer users so that they can use the resources effectively without inflicting damage to the system inadvertently or otherwise
- OIDC Authentication in WinCC OA
  The OIDC Authentication feature introduces support for the OpenID Connect® (OIDC) standard in WinCC OA, enabling integration with modern identity providers for secure, token-based user authentication.
  - WinCC OA User Interface Authentication by Using Keycloak
    - Set Up Keycloak for OIDC Authentication (Base Configuration)
      This task describes how to configure Keycloak as an OpenID Connect (OIDC) authentication provider for WinCC OA in its base configuration.
    - Configuring OIDC Authentication for WinCC OA Project
      Follow these steps to configure your WinCC OA project to use OIDC authentication with Keycloak as the Identity Provider (IdP).
    - Configuring Multi-Factor Authentication (MFA) as an Administrator in Keycloak
      This topic explains how to configure Multi-Factor Authentication (MFA) in Keycloak as an administrator, including how to set MFA as a default requirement for new users and how to require specific users to set up MFA at their next login.
    - Setting up Multi-Factor Authentication (MFA) as a User
      This topic explains how to set up Multi-Factor Authentication (MFA) using a One-Time Password (OTP) application after your administrator has enabled OTP for your account.
- WinCC OA Internal Identity Provider
  This topic provides an overview of the built-in OpenID Connect (OIDC) provider, its integration, configuration, and user management in WinCC OA projects.
- Device Management
  The Device Management allows you to define which WinCC OA UI connections (mobile application and Desktop UI) are allowed to connect to your project. Additionally a direct overview over the available licenses and currently connected devices is shown.
- Inactivity/AutoLogout
  The inactivity management in WinCC OA prevents not authorized persons or persons with a wrong identity to use a workplace for forbidden or not traceable operations.
- Access Control Plug-in
  The WinCC OA Access Control Plug-in can be used to control the access to datapoints (read, write, display) via user rights.
- Authorization Check Plug-in
  The authorization check plug-in allows setting access rights on datapoint element level (datapoint values).
- Authentication via Kerberos, basics
  In a more and more networking world, a WinCC OA system could be exposed to different types of attacks. An unauthorized WinCC OA system could connect to the distribution manager or hackers could try to manipulate WinCC OA messages.
- Login Framework
  The WinCC OA login framework provides a framework that is easy to extend. The WinCC OA login panels can be easily replaced by user-specific panels without having to re-implement the functionality.
- System Use Notification
  You can use the system use notification panel to display an instruction to the user when logging into the WinCC OA system. The user must confirm the notification before logging into the WinCC OA project.
- Audit Trail panel
Availability
How to get your system uptime to the maximum.
Reporting
Create state of the art project reports without limits.
Addons
Useful tools and enhancements for special demands.
Reference Tables
Detailed and extensive content for special project adaptation.
Videos & Tutorials
Explore the capabilities of WinCC OA with our carefully selected collection of video tutorials and guides.
Documentation
Basic information about terms and functions within the documentation.
Support & Services
An experienced team of support agents, consultants and trainers are ready to facilitate active partnerships with our customers, so they can profit from our comprehensive service.
Disclaimer
A brief clarification of liability exclusions or legal notices.

Configuring OIDC Authentication for WinCC OA Project

Follow these steps to configure your WinCC OA project to use OIDC authentication with Keycloak as the Identity Provider (IdP).

Ensure you have a WinCC OA OpenID Connect (OIDC) Project
Configure an active instance of Keycloak. To setup a new Keycloak instance for WinCC OA, see Set Up Keycloak for OIDC Authentication (Base Configuration)

Open your project configuration file for editing, see Project Config File.
Optional: Set the client ID (optional) used when connecting to the IdP, see ../../config_entries/sections/general.html#general__authClientId.
```
authclientid = <your_client_id>
```
If not defined, the default value is winccoa.
Configure the OIDC endpoint(s).
Add one or more ../../config_entries/sections/general.html#general__authEndpoint entries to specify the .well-known endpoint(s) of your Identity Provider:
```
[general]
authendpoint = https://<keycloak_host>/realms/<authRealm>/.well-known/openid-configuration
```
Example:
```
https://localhost:8443/realms/winccoa-realm/.well-known/openid-configuration
```
Multiple authendpoint entries are allowed. Even if not explicitly configured, WinCC OA will append its own OIDC provider endpoint as the last item as local emergency login option.
Save the configuration file and restart your WinCC OA project.

This applies the new authentication settings.

Your WinCC OA project is now configured to use OIDC authentication with Keycloak as the Identity Provider.