Skip to main content

General

Authentication Providers

Configure Local Database, Active Directory, and Azure AD authentication for Proxus.

Proxus supports flexible authentication strategies for both standalone installations and enterprise environments. When the corresponding authentication settings are enabled, the platform can integrate with multiple identity providers.

warning
Deployment Strategy

Standard (Local Database) is the only provider enabled by default in the standard Docker/Linux distribution.

Advanced providers like Active Directory and Azure AD have environment-specific requirements (for example, Windows domain membership, network access to the identity provider, and the correct deployment configuration). Therefore, the authentication strategy should be decided during the Pre-Deployment Planning phase.

Supported Providers

Standard (Local Database)

The default authentication mode. User credentials are stored in the internal PostgreSQL database.

  • Best for: Isolated OT networks, standalone installations, or environments without a central domain controller.
  • Management: Users are created and managed directly within the Administration > Users view.

Active Directory (On-Premise)

For intranet deployments where servers and workstations are part of a Windows domain, Proxus can use Integrated Windows Authentication (IWA).

  • Single Sign-On (SSO): Users already logged into their Windows workstations can access the Proxus web interface without re-entering their credentials.
  • Auto-Provisioning: Proxus can automatically create a platform user record when a valid directory user logs in for the first time.
  • Just-In-Time (JIT): Account metadata is resolved at the moment of login, keeping account details current.

Azure AD / Microsoft Entra ID

For modern cloud-connected or hybrid deployments, Proxus integrates with Microsoft Entra ID (formerly Azure AD) via the OpenID Connect (OIDC) protocol.

  • Centralized Revocation: If an employee leaves the company, disabling their account in the Azure portal instantly revokes their access to Proxus.
  • Multi-Factor Authentication (MFA): Proxus inherits any MFA requirements enforced by your organization's Entra ID policy.
  • OAuth2 / OpenID Connect: Standard-based integration that works across different network topologies.

Technical Configuration

Enabling Providers

Authentication providers are registered during the application startup. To enable enterprise providers, configure the corresponding authentication settings in your deployment configuration.

Azure AD Configuration Example

[Authentication.AzureAd]
Instance = "https://login.microsoftonline.com/"
Domain = "your-company.com"
TenantId = "common"
ClientId = "your-app-client-id"
CallbackPath = "/signin-oidc"

Auto-Create Users

The platform can automatically create user records for external identities when configured.

  • Workflow: When an unknown user authenticates via AD/Azure, Proxus creates a new user, assigns a default role (for example, "Viewer"), and allows the user to proceed. Administrators can then elevate permissions as needed.

Security Policies

Regardless of the provider, Proxus enforces global security policies defined in System > Security Settings:

  • Password Complexity: (For Local Auth) Minimum length and character requirements.
  • Lockout Policy: Protection against brute-force attacks.
  • Session Timeout: Auto-logout after inactivity (Default: 30 minutes).
info
Configuration Reference

For all security, password policy, and JWT authentication settings, see Configuration Reference — Security & Authentication.

← Previous
Security & Access Control
Next →
UNS Topic Permissions