Skip to main content

General

Authentication Providers

Configure Local Database, Active Directory, and Azure AD authentication for Proxus.

Proxus supports flexible authentication strategies to fit both standalone machines and enterprise domains. By leveraging the advanced security sub-system, Proxus can integrate with multiple identity providers simultaneously.

warning
Deployment Strategy

Standard (Local Database) is the only provider enabled by default in the standard Docker/Linux distribution.

Advanced providers like Active Directory and Azure AD have specific OS and network requirements (e.g., Windows Domain Membership, Kerberos on Linux, or specific Firewall rules). Therefore, the authentication strategy must be decided during the Pre-Deployment Planning phase to ensure the correct infrastructure is provisioned.

Supported Providers

1. Standard (Local Database)

The default authentication mode. User credentials (User Name and Hashed Password) are stored in the internal PostgreSQL database.

  • Best for: Isolated OT networks, standalone installations, or environments without a central domain controller.
  • Management: Users are created and managed directly within the Administration > Users view.

2. Active Directory (On-Premise)

For Intranet deployments where servers and workstations are part of a Windows Domain, Proxus leverages Integrated Windows Authentication (IWA).

  • Single Sign-On (SSO): Users already logged into their Windows workstations can access the Proxus web interface without re-entering their credentials.
  • Auto-Provisioning: Proxus can be configured to automatically create an internal ApplicationUser record when a valid AD user logs in for the first time.
  • Just-In-Time (JIT): Account metadata is pulled from AD at the moment of login, ensuring data consistency.

3. Azure AD / Microsoft Entra ID

For modern cloud-connected or hybrid deployments, Proxus integrates with Microsoft Entra ID (formerly Azure AD) via the OpenID Connect (OIDC) protocol.

  • Centralized Revocation: If an employee leaves the company, disabling their account in the Azure portal instantly revokes their access to Proxus.
  • Multi-Factor Authentication (MFA): Proxus inherits any MFA requirements enforced by your organization's Entra ID policy.
  • OAuth2 / OpenID Connect: Standard-based integration that works across different network topologies.

Technical Configuration

Enabling Providers

Authentication providers are registered during the application startup. To enable enterprise providers, you must configure the corresponding sections in your Proxus-config.toml file.

Azure AD Configuration Example

[Authentication.AzureAd]
Instance = "https://login.microsoftonline.com/"
Domain = "your-company.com"
TenantId = "common"
ClientId = "your-app-client-id"
CallbackPath = "/signin-oidc"

Auto-Create Users

XAF's security system allows for the automatic creation of user records for external identities.

  • Option: options.CreateUserAutomatically() in the security configuration.
  • Workflow: When an unknown user authenticates via AD/Azure, Proxus creates a new user, assigns a default role (e.g., "Default" or "Viewer"), and allows the user to proceed. Administrators can then elevate their permissions as needed.

Security Policies

Regardless of the provider, Proxus enforces global security policies defined in System > Security Settings:

  • Password Complexity: (For Local Auth) Minimum length and character requirements.
  • Lockout Policy: Protection against brute-force attacks.
  • Session Timeout: Auto-logout after inactivity (Default: 30 minutes).
← Previous
Security & Access Control
Next →
UNS Topic Permissions