Implementing Bearer Authentication with PI Web API and ADFS

Implementing Bearer Authentication with PI Web API and ADFS

The need for robust and secure authentication in web applications is paramount, especially when dealing with industrial data communication in the OSIsoft PI System. Leveraging Bearer Authentication with Active Directory Federation Services (ADFS) can provide the necessary security level for Single Page Applications (SPAs) like those developed using Angular. Here’s what the journey from confusion to implementation can look like and how you can achieve it too.

Understanding the Landscape

Before diving into technical setups, grasping the basic concepts is crucial. Bearer Authentication, in essence, involves issuing a token that has to be included in the header of your HTTP requests to access protected resources. This method fits well into SPAs needing backend communication through PI WebAPI.

ADFS supports this mechanism by functioning as a token issuer, handling user identities and delegating authentication tasks through claims-based authentication.

Breaking Down the Setup

1. ADFS Configuration:

   • Application Group: Establish an application group in ADFS to obtain client IDs and secrets, necessary for communication.
   • Relying Party: Configure a Relying Party Trust in ADFS. This will ensure that your PI WebAPI recognizes and trusts tokens issued by ADFS.
   • Certificates: Ensure certificates are correctly configured as these will be used to sign tokens, so they can be validated by the receiving party.
   • Endpoints: Look into setting up the necessary endpoints within ADFS to facilitate token issuance. This includes configuring OpenID Connect endpoints, which play a vital role in this setup.

2. Implementing Token Issuance in PI WebAPI:

   • Follow OSIsoft’s playbook: It's a treasure trove of information detailing the configuration needed in PI WebAPI to recognize and trust ADFS-issued tokens.
   • Validate with Test Applications: Ensure your configurations work as expected using simpler test applications before deploying them in the live environment.

Shared Experiences and Results

Another community user has validated this setup and has extended an offer to share their detailed implementation strategy. This approach of learning from others can significantly expedite your understanding and troubleshooting processes.

Overcoming Common Hurdles

Despite the comprehensive resources available, many face issues like persistent 401 responses with no error details in the event viewer. This calls for a meticulous review of:

• C2WTS Configuration: Ensure that Claims to Windows Token Service (C2WTS) is properly configured and operational, especially for service accounts.
• Networking Aspects: Ensure that there are no firewall or proxy configurations impeding ADFS and PI WebAPI communications.

Conclusion

Implementing Bearer Authentication for your PI Web API using ADFS isn't a trivial task but armed with the right resources and a community of users willing to share their experiences, it becomes manageable. Always ensure that configurations align with your specific environmental needs, and don’t hesitate to seek out shared knowledge within the community.

By breaking it down as described, and leveraging both OSIsoft and Microsoft resources, you can secure your SPA communication effectively.