Home
User Management
All about authorization, authentication and login-customization.
OIDC Authentication in WinCC OA
The OIDC Authentication feature introduces support for the OpenID Connect® (OIDC) standard in WinCC OA, enabling integration with modern identity providers for secure, token-based user authentication.
WinCC OA User Interface Authentication by Using Keycloak
Setting up Multi-Factor Authentication (MFA) as a User
This topic explains how to set up Multi-Factor Authentication (MFA) using a One-Time Password (OTP) application after your administrator has enabled OTP for your account.

Version Information
Release Notes, Update information, Certifications and Frequently Asked Questions.
Concepts
Your first step into modern and powerful process visualization.
Deployment
Topics you need to know before using WinCC OA.
Security
Go beyond the norm in cybersecurity.
Engineering
Powerful tools for easy or complex engineering tasks.
Data Management
Classify, structure and archive your data.
Business Logic / Control
Endless possibilities in data processing for your projects.
Data Visualization
User interfaces, Trends and Reports for every purpose and device.
Southbound Interfaces
The process connection to the actual machines/sensors.
Northbound Interfaces
Your portal to the cloud or supervising systems.
Web Connectivity / Network Interfaces
Data exchange, APIs and web technologies
User Management
All about authorization, authentication and login-customization.
- User Administration
  The WinCC OA user administration provides important features for controlling users that use the system. Security is an important issue in the automation technology when controlling highly sensitive systems and it is of utmost importance that the users of the system have only access to the specified area of operation. With the WinCC OA user administration, you can administer users so that they can use the resources effectively without inflicting damage to the system inadvertently or otherwise
- OIDC Authentication in WinCC OA
  The OIDC Authentication feature introduces support for the OpenID Connect® (OIDC) standard in WinCC OA, enabling integration with modern identity providers for secure, token-based user authentication.
  - WinCC OA User Interface Authentication by Using Keycloak
    - Set Up Keycloak for OIDC Authentication (Base Configuration)
      This task describes how to configure Keycloak as an OpenID Connect (OIDC) authentication provider for WinCC OA in its base configuration.
    - Configuring OIDC Authentication for WinCC OA Project
      Follow these steps to configure your WinCC OA project to use OIDC authentication with Keycloak as the Identity Provider (IdP).
    - Configuring Multi-Factor Authentication (MFA) as an Administrator in Keycloak
      This topic explains how to configure Multi-Factor Authentication (MFA) in Keycloak as an administrator, including how to set MFA as a default requirement for new users and how to require specific users to set up MFA at their next login.
    - Setting up Multi-Factor Authentication (MFA) as a User
      This topic explains how to set up Multi-Factor Authentication (MFA) using a One-Time Password (OTP) application after your administrator has enabled OTP for your account.
- WinCC OA Internal Identity Provider
  This topic provides an overview of the built-in OpenID Connect (OIDC) provider, its integration, configuration, and user management in WinCC OA projects.
- Device Management
  The Device Management allows you to define which WinCC OA UI connections (mobile application and Desktop UI) are allowed to connect to your project. Additionally a direct overview over the available licenses and currently connected devices is shown.
- Inactivity/AutoLogout
  The inactivity management in WinCC OA prevents not authorized persons or persons with a wrong identity to use a workplace for forbidden or not traceable operations.
- Access Control Plug-in
  The WinCC OA Access Control Plug-in can be used to control the access to datapoints (read, write, display) via user rights.
- Authorization Check Plug-in
  The authorization check plug-in allows setting access rights on datapoint element level (datapoint values).
- Authentication via Kerberos, basics
  In a more and more networking world, a WinCC OA system could be exposed to different types of attacks. An unauthorized WinCC OA system could connect to the distribution manager or hackers could try to manipulate WinCC OA messages.
- Login Framework
  The WinCC OA login framework provides a framework that is easy to extend. The WinCC OA login panels can be easily replaced by user-specific panels without having to re-implement the functionality.
- System Use Notification
  You can use the system use notification panel to display an instruction to the user when logging into the WinCC OA system. The user must confirm the notification before logging into the WinCC OA project.
- Audit Trail panel
Availability
How to get your system uptime to the maximum.
Reporting
Create state of the art project reports without limits.
Addons
Useful tools and enhancements for special demands.
Reference Tables
Detailed and extensive content for special project adaptation.
Videos & Tutorials
Explore the capabilities of WinCC OA with our carefully selected collection of video tutorials and guides.
Documentation
Basic information about terms and functions within the documentation.
Support & Services
An experienced team of support agents, consultants and trainers are ready to facilitate active partnerships with our customers, so they can profit from our comprehensive service.
Disclaimer
A brief clarification of liability exclusions or legal notices.

Setting up Multi-Factor Authentication (MFA) as a User

This topic explains how to set up Multi-Factor Authentication (MFA) using a One-Time Password (OTP) application after your administrator has enabled OTP for your account.

The administrator must enable the Configure OTP action for your account. For details about this process, see how administrators enable OTP for users or refer to the Keycloak Required Actions documentation.

Log in to the application with your username and password.
If you do not already have an authenticator app, install an OTP provider app (such as FreeOTP, Google Authenticator, or Microsoft Authenticator) on your mobile device. Other compatible OTP apps may also work.
For supported OTP apps and policy options, see the Keycloak OTP Policy documentation.
When prompted, scan the QR code displayed on the screen using your authenticator app.
Complete the setup in your authenticator app.
Enter the generated one-time password (OTP) from your app to finish logging in.
To learn more about authentication flows, see the Keycloak Authentication Flows documentation.

After successful setup, you will be required to enter an OTP each time you log in. If you have trouble scanning the QR code or logging in, contact your administrator for assistance.