I'm new to PI and PI AF SDK & currently in the process of learning. I have a situation where I need to support AD integration & SSO. The system architecture is similar to below picture,
The request from Client PC can go through multiple intermediate Server nodes before reaching the target Server Machine where PI AF client installed. With this architecture, I want to authenticate the connection to PI Server using Remote Client PC.
One of the solution I could think of is "Client Impersonation". "Remote Client PC" will pass the logged on user Access Token and the Service Machine will impersonate the client using the token (I'm not sure but I think all AF SDK calls should be made under impersonation).
1. Are there any other solutions other than Impersonation to achieve the requirement?
2. Also, if there are multiple clients with different logged in users, would this approach be feasible? What I mean by this is, if I make all AF SDK calls using impersonation using client token, will I get appropriate user's data?
I'm still new to AD & SSO, so I'm open to any suggestions or better solutions.