Configure Single Sign-On (SSO)

Use single sign-on (SSO) to associate a Power Operation project user (a Citect user) with either a Power Operation or Power Monitoring Expert (PME) username/password. When the user is logged in to the Power Operation Runtime and accesses an external application—such as Dashboards—the SSO user password is used to authenticate with the external application.

When you use SSO, we recommend that you maintain the components on the same computer or on a secure network. If higher security is needed, use Transport Layer Security.

warning

potential compromise of System availability, integrity, and confidentiality

Store system keys, AES encryption files, or other files containing passwords to a secure site.

Failure to follow these instructions can result in death, serious injury, equipment damage, or permanent loss of data.

Cybersecurity policies that govern how sensitive system files are securely stored vary from site to site. Work with the facility IT System Administrator to ensure that such files are properly secured.

To configure SSO:

Open the Application Configuration Utility:
- From Programs click Power Operation > Application Config Utility.
- In Power Operation Studio: Click Projects > Home, click Power Applications > Application Config Utility.
Click the Security tab.
From the Application drop-down list, choose the application (such as Dashboards, Basic Reporting, Advanced Reporting, Diagrams, LiveView) to which you want to map a Power Operation user.
In Timeout, enter the time after which the system will stop trying to find a match. If no match is found, SSO for this user will not take place.
Click Guest User, then click Edit to launch the Edit User dialog.
In the Edit User dialog, type the SSO user and password that match the username and password of the Power Monitoring Expert (PME) or Power Operation user to which the Guest User is mapped.

NOTE: Guest User allows the Power Operation Runtime Operator to access the integrated applications in PME or Power Operation (basic reports), however, the Operator will be acting as a Guest User and will have fewer feature privileges.

For example, you could create a guest user that only has access to dashboards, and link a PME user to this account. The Power Operation Operator could then access dashboards without logging into the Power Operation Runtime.

In the Users area, manage users access to the applications. Use this area to add users who need to have a Power Operation project user account.
- Citect User: The project username for the user logging in to the Power Operation Runtime.
- SSO User/SSO Password: The established credentials for this user, either from Power Operation or Power Monitoring Expert.

SSO Calls from a Web Client

Power Operation automatically detects calls that are made from a Web client. The calls are sent to an I/O Server. For this to work properly, the user needs Remote Procedure Call (RPC) privileges for web client access.

To enable SSO calls from a Web client:

In Power Operation Studio: Click the Security > Roles.
For the desired Power Operation role or Windows Group, change Allow RPC to TRUE.
Click Topology > Edit > I/O Servers, and change Allow RPC to TRUE for at least one I/O server per machine.

Configure SSO for Active Directory Users

SSO allows the use of Windows Active Directory users. Follow the instructions previous to create a Guest User. When the Power Operation Runtime Operator uses the system and logs into the Power Operation Runtime interface with a Windows user, the operator will be treated as a Guest User and will be able to access integrated Advanced Reports and Dashboards through SSO.