• State Not Answered
  • Replies 6 replies
  • Subscribers 3 subscribers
  • Views 454 views
  • Users 0 members are here
Options
Related

Public computer in Windows Kiosk mode accessing PiVision

Par Lindegren

Hi,

I would like to set up a "Public" computer inside our office that can access PiVision from Windows Kiosk mode (no windows login necessary). The computer is on the same AD as the pi-system but I do not want to login to PiVision using a AD-mapping account since the password is too complex and also it should not be reviled since the environment is restricted.

My first approach was to get the webbrowser to remember the AD login credentials but that doesn't seem to work when you are in windows kiosk mode. (Is there a way to solve this?)

I'm now thinking of using the old piusers group and create a demo user with read access to some pi tags. The password would then be the same as username and it would be easy to login to PiVision again if someone has closed the browser. The problem is that i don't know how to "enable" the piusers group, is it even possible to use the old piusers group in parallell to windows mapping?

There might be a completely different and better approach to solve my topic that I haven't thought of. I would appreciate if someone shared their experience in similar cases or helped me on the way with the pi Users group.

 

Thanks

Best regards,

Pär

 

 

Parents
  • 0

    Hei Pär

    I had just written a rather long answer but then my browser crashed, so I'm keeping it short when rewriting it.

     

    Which versions of PI System and PI Vision are you using? In the 2023 versions, there is an introduction of token-based authentication, which could help you in this case. Modern authentication include the use of external identity providers (facebook/google for non-business apps, microsoft etc. for business apps), these support/require two-factor authentication - which is fine if there's an actual user trying to "get in". But in the cases of services or other unattended processes needing to authenticate, there's something called the Client Credentials Flow, f.ex. in Microsoft Azure AD (now MS Entra ID). This allows your IT dept. to set up non-interactive access to a specific process, and this process would then use a provided client_id (user id) and client_secret (password) when authenticating. Since this allows the unattended process to authenticate without a 2FA code, you set the validity period for the client_secret from the server side. I've seen 1 year being used in many situations, meaning the access is only valid for one year - then a new client_secret needs to be generated.

     

    If you set up your public computer without Windows login, I guess you should be able to auto-login and start your browser in fullscreen with kiosk mode, and then have authentication to be done using the client credentials flow.

     

    Have a look at the Modern Authentication section in the PI Vision 2023 release notes

Reply
  • 0

    Hei Pär

    I had just written a rather long answer but then my browser crashed, so I'm keeping it short when rewriting it.

     

    Which versions of PI System and PI Vision are you using? In the 2023 versions, there is an introduction of token-based authentication, which could help you in this case. Modern authentication include the use of external identity providers (facebook/google for non-business apps, microsoft etc. for business apps), these support/require two-factor authentication - which is fine if there's an actual user trying to "get in". But in the cases of services or other unattended processes needing to authenticate, there's something called the Client Credentials Flow, f.ex. in Microsoft Azure AD (now MS Entra ID). This allows your IT dept. to set up non-interactive access to a specific process, and this process would then use a provided client_id (user id) and client_secret (password) when authenticating. Since this allows the unattended process to authenticate without a 2FA code, you set the validity period for the client_secret from the server side. I've seen 1 year being used in many situations, meaning the access is only valid for one year - then a new client_secret needs to be generated.

     

    If you set up your public computer without Windows login, I guess you should be able to auto-login and start your browser in fullscreen with kiosk mode, and then have authentication to be done using the client credentials flow.

     

    Have a look at the Modern Authentication section in the PI Vision 2023 release notes

Children
No Data