Home
User Management
All about authorization, authentication and login-customization.
OIDC Authentication in WinCC OA
The OIDC Authentication feature introduces support for the OpenID Connect® (OIDC) standard in WinCC OA, enabling integration with modern identity providers for secure, token-based user authentication.
WinCC OA User Interface Authentication by Using Keycloak
Configuring Multi-Factor Authentication (MFA) as an Administrator in Keycloak
This topic explains how to configure Multi-Factor Authentication (MFA) in Keycloak as an administrator, including how to set MFA as a default requirement for new users and how to require specific users to set up MFA at their next login.

Version Information
Release Notes, Update information, Certifications and Frequently Asked Questions.
Concepts
Your first step into modern and powerful process visualization.
Deployment
Topics you need to know before using WinCC OA.
Security
Go beyond the norm in cybersecurity.
Engineering
Powerful tools for easy or complex engineering tasks.
Data Management
Classify, structure and archive your data.
Business Logic / Control
Endless possibilities in data processing for your projects.
Data Visualization
User interfaces, Trends and Reports for every purpose and device.
Southbound Interfaces
The process connection to the actual machines/sensors.
Northbound Interfaces
Your portal to the cloud or supervising systems.
Web Connectivity / Network Interfaces
Data exchange, APIs and web technologies
User Management
All about authorization, authentication and login-customization.
- User Administration
  The WinCC OA user administration provides important features for controlling users that use the system. Security is an important issue in the automation technology when controlling highly sensitive systems and it is of utmost importance that the users of the system have only access to the specified area of operation. With the WinCC OA user administration, you can administer users so that they can use the resources effectively without inflicting damage to the system inadvertently or otherwise
- OIDC Authentication in WinCC OA
  The OIDC Authentication feature introduces support for the OpenID Connect® (OIDC) standard in WinCC OA, enabling integration with modern identity providers for secure, token-based user authentication.
  - WinCC OA User Interface Authentication by Using Keycloak
    - Set Up Keycloak for OIDC Authentication (Base Configuration)
      This task describes how to configure Keycloak as an OpenID Connect (OIDC) authentication provider for WinCC OA in its base configuration.
    - Configuring OIDC Authentication for WinCC OA Project
      Follow these steps to configure your WinCC OA project to use OIDC authentication with Keycloak as the Identity Provider (IdP).
    - Configuring Multi-Factor Authentication (MFA) as an Administrator in Keycloak
      This topic explains how to configure Multi-Factor Authentication (MFA) in Keycloak as an administrator, including how to set MFA as a default requirement for new users and how to require specific users to set up MFA at their next login.
    - Setting up Multi-Factor Authentication (MFA) as a User
      This topic explains how to set up Multi-Factor Authentication (MFA) using a One-Time Password (OTP) application after your administrator has enabled OTP for your account.
- WinCC OA Internal Identity Provider
  This topic provides an overview of the built-in OpenID Connect (OIDC) provider, its integration, configuration, and user management in WinCC OA projects.
- Device Management
  The Device Management allows you to define which WinCC OA UI connections (mobile application and Desktop UI) are allowed to connect to your project. Additionally a direct overview over the available licenses and currently connected devices is shown.
- Inactivity/AutoLogout
  The inactivity management in WinCC OA prevents not authorized persons or persons with a wrong identity to use a workplace for forbidden or not traceable operations.
- Access Control Plug-in
  The WinCC OA Access Control Plug-in can be used to control the access to datapoints (read, write, display) via user rights.
- Authorization Check Plug-in
  The authorization check plug-in allows setting access rights on datapoint element level (datapoint values).
- Authentication via Kerberos, basics
  In a more and more networking world, a WinCC OA system could be exposed to different types of attacks. An unauthorized WinCC OA system could connect to the distribution manager or hackers could try to manipulate WinCC OA messages.
- Login Framework
  The WinCC OA login framework provides a framework that is easy to extend. The WinCC OA login panels can be easily replaced by user-specific panels without having to re-implement the functionality.
- System Use Notification
  You can use the system use notification panel to display an instruction to the user when logging into the WinCC OA system. The user must confirm the notification before logging into the WinCC OA project.
- Audit Trail panel
Availability
How to get your system uptime to the maximum.
Reporting
Create state of the art project reports without limits.
Addons
Useful tools and enhancements for special demands.
Reference Tables
Detailed and extensive content for special project adaptation.
Videos & Tutorials
Explore the capabilities of WinCC OA with our carefully selected collection of video tutorials and guides.
Documentation
Basic information about terms and functions within the documentation.
Support & Services
An experienced team of support agents, consultants and trainers are ready to facilitate active partnerships with our customers, so they can profit from our comprehensive service.
Disclaimer
A brief clarification of liability exclusions or legal notices.

Configuring Multi-Factor Authentication (MFA) as an Administrator in Keycloak

This topic explains how to configure Multi-Factor Authentication (MFA) in Keycloak as an administrator, including how to set MFA as a default requirement for new users and how to require specific users to set up MFA at their next login.

Configure MFA settings for a realm
1. Log in to the Keycloak administration console.
2. Click Manage realms in the main menu.
3. Select the realm where you want to configure MFA.
  If you are already in the correct realm, you can skip this step.
4. Click Authentication in the left navigation menu.
5. Open the Policies tab.
6. Select the OTP Policy sub-tab.
7. Adjust the One Time Password settings as needed for your organization.
  Keycloak currently supports FreeOTP, Google Authenticator, and Microsoft Authenticator. Not all OTP policy options are compatible with all of these providers. For more information, see Keycloak OTP Policy documentation.
Set MFA as a default requirement for all new users
1. Log in to the Keycloak administration console.
2. Click Manage realms in the main menu.
3. Select the realm where you want to require MFA for new users.
  If you are already in the correct realm, you can skip this step.
4. Click Authentication in the left navigation menu.
5. Open the Required Actions tab.
6. Locate the action Configure OTP and enable Set as default action.
  If Configure OTP is not enabled, enable it first before setting it as the default action. For more information, see Keycloak Required Actions documentation.
Require a specific user to set up MFA at next login
1. Log in to the Keycloak administration console.
2. Click Manage realms in the main menu.
3. Select the realm where the user account is located.
  If you are already in the correct realm, you can skip this step.
4. Click Users in the left navigation menu.
5. Click the username of the user who should be required to set up MFA.
6. In the Details tab, find the Required user actions field and select Configure OTP.
  For more information about authentication flows and required actions, see Keycloak Authentication Flows documentation.
7. Click Save to apply the changes.