Secure Configuration Guide
Version 1.0.0 - 2026-02-24
Introduction
This Secure Configuration Guide describes the recommended security configuration of the Digital Enterprise Suite.
The guide is written for administrators responsible for configuring and operating the service in a secure manner. It focuses on customer-controllable settings exposed in the Administration interface.
How to Use This Guide
Administrators should use this guide during initial onboarding, periodic security reviews, during major version upgrades, and whenever configuration changes are planned that may affect the security posture of the tenant.
Where applicable, this guide references detailed help topics in the Administration interface for step-by-step instructions. Those topics describe how to perform the configuration in the user interface, while this guide focuses on what settings should be chosen and why.
Configurations
User Provider Configurations
The following User Provider settings should be configured:
Identity Provider (IdP)
-
Authentication Method should be configured to either:
-
Security Assertion Markup Language 2 (SAML2) with the Sign AuthnRequest checked.
-
OpenID Connect (OIDC) with the PKCE required checked.
The Digital Enterprise Suite relies on the organization Identity Provider (IdP). This IdP should implement phishing resistant MFA.
| Using the OTP configuration is not phishing resistant. |
System for Cross-domain Identity Management (SCIM)
The SCIM integration is the authoritative mechanism to provision, update, and deprovision all user accounts and groups, including the top-level Administrators group that controls enterprise-wide access to the Digital Enterprise Suite. SCIM ensures that administrative access is granted, modified, and revoked centrally from the organization’s Identity Provider (IdP), in alignment with corporate security policies.
At least three groups should be provisioned from the SCIM provider:
Group Name |
Role |
Administrators |
Top-level administrative accounts |
Modelers |
User account that are allowed to create, view, updated and delete models and services based on their place and execution environment access. |
Viewers |
User account that are allowed to view models and services based on their place and execution environment access. |
Other groups to control access to Places and Execution environment can also be synched as needed to implement Role-Based Access Control (RBAC).
| If SCIM can’t be implemented, an administrator should create those groups manually in the Groups page and assign users to those groups. |
Client Access License (C.A.L.) Allocation
The automatic assignation of licenses (C.A.L.) should be disabled. License assignation will be controlled by the SCIM provisioning.
| If SCIM can’t be implemented, an administrator should create and remove licenses in the Client Access Licenses page. |
Groups
Product assignation should be configured on the Groups page for the three main groups: - Administrators: Administration - Modelers: Digital Modeling Suite Modelers and Digital Automation Suite Application Users (if subscribed) - Viewers: No product selected
Security
The following Security settings should be configured:
-
Session Cookie Length: After closing the browser
-
Same Site Cookie: Strict
-
Inactivity timeout in minutes: 30
-
Enable Cross-Domain REST API calls: Unchecked
-
Allow embed of the DES inside frames: Unchecked
Notification Channels
| This setting is not available in all deployment scenarios |
The following Notification Channels settings should be configured:
-
No Email server configured unless you can fully control that server security.
-
No Microsoft Teams configuration.