You're currently browsing the Ignition 8.0 docs. Click here to view the latest docs.

An Identity Provider (IdP) offers a way for users to log in to Ignition using credentials stored outside of Ignition. An IdP creates, maintains, and manages identity (login) information while providing authentication services to Ignition. This provides a secure login that allows Ignition to use SSL and two-factor authentication (2FA).

In 8.0, Identity Providers are only utilized by Perspective. Authentication in other areas of Ignition, such as the Vision module, is handled by User Sources.

On this page ...

Identity Provider Authentication Workflow

The following diagram illustrates how IdP authentication works.

  1. User starts a Perspective Session.
  2. User attempts some action that requires authentication.
  3. User is Redirected to Identity Provider: The Session sees that authentication is required and redirects the user to a webpage hosted by the IdP. 
  4. IdP Authenticates the User: The IdP prompts the user with a security challenge, such as requesting a username and password. The extent of the challenge depends entirely on the provider, but many providers may offer support for multi-factor authentication (MFA).
  5. User Responds: The user correctly responds to the security challenge.
  6. Redirect back to the Session: If the IdP successfully validates the user, it will redirect the user back to the Perspective Session. Some IdPs may have an additional workflow they will guide the user through, such as re-verifying an email address or replacing an expired password. The IdP will also return information about that user to the Session. This provides some context about the user that the Session can use to assign Security Levels. 
  7. Update the User's Security Level: Once back at the session, the user will be mapped to the specified Security Level, giving the user access to the restricted action. 

Types of Identity Providers

The following types of providers are available. More information on the types can be found on the Identity Provider configuration reference page.

  • Ignition - The Gateway will act as an Identity Provider, accepting authentication requests from other Perspective Sessions. Users and roles are stored internally to Ignition. Useful when an external identity provider is unavailable.
  • OpenID Connect 1.0 -  Used to configure an external IdP via OpenId Connect. 
  • Security Assertion Markup Language (SAML) - Used to configure an external IdP via SAML.

Suggested External Identity Providers

Your organization's IT may have some sort of existing integration with an Identity Provider. Some popular Identity Providers are listed below. 

Using Identity Providers

Once an Identity Provider has been configured, there are a few things that can be done to test and adjust how it works. You can map the attributes that are returned in the IdP response document to more familiar user properties that are available to use within the project. You can add rules to custom security levels that determine when a user falls into the level. Overrides can be given to users in the form of User Grants, so that they are granted certain security levels regardless of the rules. Finally, you can test out the IdP by logging in with a user to confirm what is returned in the response document.

In This Section ...

  • No labels