Search

User Manual

GETTING STARTED


MODULES AND PLATFORM


APPENDIX


TUTORIALS & HELPFUL TRICKS


GLOSSARY


STRATEGIC PARTNER LINKS

Sepasoft - MES Modules
Cirrus Link - MQTT Modules

RESOURCES

Inductive University
Ignition Demo Project
Knowledge Base Articles
Forum
IA Support
SDK Documentation
SDK Examples

ALL MANUAL VERSIONS

Ignition 8
Ignition 7.9
Ignition 7.8

Deprecated Pages

Skip to end of metadata
Go to start of metadata


Registering the Ignition Gateway

Before configuring an Identity Provider on the Ignition Gateway, it must first be registered as an Identity Provider Client. Your Identity Provider will have a workflow to register, and it will most likely request something called a return URL or redirect URI. The paths provided utilize your Gateway's address/hostname, and they change depending on the type of provider.

Note: The same redirect URI is used for login and logout.

OpenID Connect Providers (OP)

OpenID Connect Providers
http://yourGatewayAddress:Port/data/federate/callback/oidc

SAML Providers

SAML Providers
http://yourGatewayAddress:Port/data/federate/callback/saml

Secure Integration with IdPs

You should always use the secure versions of those redirect URIs (https) in production environments. To do this you must enable SSL/TLS in Ignition and install a valid certificate. This is the best practice for maintaining a secure integration with third party Identity Providers.

On this page ...


IULocgo


Configuring Identity Providers



Configure an Identity Provider

Although there are several types, the general workflow for creating an Identity Provider is the same.

  1. On the Gateway Webpage, click on the Config tab. 



  2. Under the Security section, click on Identity Providers. The Identity Providers screen is displayed. This screen will list all IdPs that have been configured. You can change filter by name or adjust the number of IdPs displayed in the view. 



  3. Click on Create New Identity Provider...
  4. Choose the type of provider. The current options are Ignition, OpenID Connect 1.0, or Security Assertion Markup Language 2.0 (SAML).



  5. Click the Next button.
  6. Configure the adapter. This step varies based on the type of provider. Please see the reference tables below for a description of properties. 
  7. Once you've filled in the properties, click Save.


Common Properties

All Identity Provider types share the following properties:

Property NameDescriptionRequired?
Provider Name

The name of the adapter. Adapter names must be unique, so no two adapters on the same Gateway may have the same name.

The naming conventions for IdPs are as follows:

  • IdP names must begin with an underscore or alpha character.
  • The remaining characters in the name must be either underscores or alphanumeric.
  • IdP names are not case sensitive.
Yes
Provider DescriptionA description of the provider.No
Provider TypeThe type of Identity Provider. The value for this field comes from the previous screen. It cannot be changed here.Yes


Ignition Identity Provider

The Ignition Identity Provider has the following properties:

Property NameDescriptionRequired?
User SourceThe User Source for this IdP. In order to properly authenticate users, the Ignition Identity Provider must be able to query the list of users from the underlying user source profile. Yes
Session Inactivity Timeout

This feature is new in Ignition version 8.1.0
Click here to check out the other new features

The number of minutes which must elapse before expiring a session due to user inactivity. Sessions will not timeout if set to any number less than or equal to zero.

Yes
Session Expiration

This feature is new in Ignition version 8.1.0
Click here to check out the other new features

The maximum number of minutes a session may exist before it is expired. Sessions will not have a max lifetime if set to any number less than or equal to zero.

Yes
Remember Me Expiration

This feature is new in Ignition version 8.1.0
Click here to check out the other new features

The maximum number of hours a user will be remembered if they elect to be remembered. Remember Me is disabled when this value is set to any number less than or equal to zero. For more information on this option, see the Remember Me section below.

Yes

Authentication Methods

You can opt into Badge based authentication for the IdP by enabling the “Badge” Authentication Method. The “Default” radio button determines which option users first see when attempting to authenticate against the IdP.

Yes

Badge Secret

Choose whether or not the user is required to enter a secret (password) along with their badge scan. Additional option can be checked to r

Yes

Badge Settings

Property NameDescriptionRequired?

Badge Secret

Choose whether or not the user is required to enter a secret (password) along with their badge scan. Check to r

Yes

Built-In Attributes

The following attributes are available in the Ignition IdP.

AttributeTypeDescriptionExample
auth_timeDate

Represents the time the user last authenticated. 

// Check if it has been within 15 minutes since the last 
//  authentication attempt
dateDiff({idp-attributes:auth_time}, now(), "minutes") <= 15
challengedBoolean

Signifies if the user provided credentials at the last login. 

If true, then the user was asked to re-validate their credentials the last time they attempted to login.

If false, then they were not challenged to re-validate their credentials during the last login attempt. This can happen when a login request was made after a user was already authenticated. For example, if a user was already authenticated in a Perspective Session, and a separate call to system.perspective.login function was made with the forceAuth parameter set to false, meaning the user did not provide credentials during the last authentication challenge. 


// Returns True or False, depending on whether or not the user 
//   provided credentials at the last login. 
{idp-attributes:challenged}

Remember Me Example

This feature is new in Ignition version 8.1.0
Click here to check out the other new features

The Remember Me option allows your login to be remembered for a set amount of time, even if you close your browser or restart your Gateway. When set, you will be remembered on this device for the specified number of hours without needed to log in again.

Caution: This option is not recommended if you are using a public or shared device.
To set up Remember me, do the steps that follow: 

  1. On the Gateway Webpage, click on the Config tab. Scroll down to Security >  Identity Providers.
  2. For the Ignition Identity Provider you'd like to configure, click on the More option and choose Settings.



  3. On the Settings page, scroll down to the Provider Configuration section.
  4. For the Remember Me Expiration option, enter a value greater than zero. For this example, we set the option to two hours. 



  5. Click Save to save your changes.

To enable Remember Me for your login, do a test login: 

  1. On the Gateway Webpage, click on the Config tab. Scroll down to Security >  Identity Providers.
  2. For the Ignition Identity Provider you'd like to configure, click on the More option and choose Test Login.
  3. Enter your password and select the Remember Me option.



  4. Click the Continue button.
  5. Your login will now be remembered for the amount of hours that were specified in the Gateway setting (in this example, it is 2 hours).


OpenID Connect Providers

OpenID Connect Providers (OP) properties are listed in the following tables. The values on many of these properties may require you to refer to information from your third-party IdP.

Importing Metadata from the Provider

This method is preferred because of its ease-of-use and accuracy. After importing, you will only need to add your client ID and secret manually.  (However you can revise the imported data if needed as well.)

Property NameDescription
Import from URLURL to the OpenID Provider Configuration document. Typically, if the issuer is "https://example.org/foo" then the metadata URL would be "https://example.org/foo/.well-known/openid-configuration"
Import From FileFile must be a JSON document with the properties described in section 3 (OpenID Provider Metadata) of the OpenID Connect Discovery 1.0 specification.

Configuring the Provider

Most OpenID Providers will require registering Ignition as a client. After the registration process is complete, the provider will generate a client ID and secret for Ignition, which is required below. This gives Ignition the ability to communicate securely with the provider. Most providers will also require a set of redirect URIs. The redirect URI for this Ignition Gateway is: http://docker.ia.local:51276/data/federate/callback/oidc

Property NameDescriptionRequired?

Client ID

The client identifier registered within the identity provider. This value is provided the Identity Provider.Yes
Client SecretThe client secret registered within the identity provider. This value is provided by the Identity Provider.Yes
Authorization URLURL of the OP's OAuth 2.0 Authorization Endpoint.
Yes
Token URLURL of the OP's OAuth 2.0 Token Endpoint.
Yes
Logout URLOptional URL at the OP to which an RP can perform a redirect to request that the end user be logged out at the OP.No
JSON Web Keys URL

URL of the OP's JSON Web Key Set document.

No
Use Json Web Keys URIIf checked, then identity provider public keys will be automatically downloaded from given JSON Web Keys URL. New keys will be automatically fetched when the identity provider generates new keys. If unchecked, then the static set of JSON Web Keys (configured below) are used, so when the identity provider rotates keys, they must be manually added to this configuration.No
User Info URL

Optional URL to retrieve UserInfo claims from the provider. Resulting claims are typically determined by the scopes listed under the Scope setting.

No
Issuer

Entity that issues a set of claims.

Yes
Supported ID Token Signing Algorithm Values

A list of the JSON Web Signature (JWS) signing algorithms supported by the OP for the ID Token to encode the claims in a JWT.

Yes
ScopeA list of scopes which will be sent for each auth request to the OP. Commonly used scopes would be email  and profile but check your Identity Provider's documentation for more information. No
JSON Web Key ConfigA list of signing key(s) the RP uses to validate signatures from the OP.No


JSON Web Key Configuration

Property NameDescriptionRequired?
Key TypeThe cryptographic algorithm family used with the key. Options are EC, RSA or oct.Yes
Public Key UseThe intended use of the public key. Options are sig or eng.No
Key OperationsThe operation(s) for which the key is intended to be used.No
AlgorithmThe algorithm intended for use with the key.Yes
Key IDUsed to match a specific key.No
X.509 URLA URI that refers to a resource for an X.509 public key certificate or certificate chain. The identified resource MUST provide a representation of the certificate or certificate chain that conforms to RFC 5280 in PEM-encoded form, with each certificate delimited as specified in Section 6.1 of RFC 4945.No
X.509 Certificate ChainThe "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates. Each entry must be a base64-encoded (Section 4 of RFC4648 -- not base64url-encoded) DER PKIX certificate value.No
X.509 Certificate SHA-1 ThumbprintA base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate.No
X.509 Certificate SHA-256 ThumbprintA base64url-encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate.No

There are some additional properties, that depend on which Key Type is selected.

Key Type: EC

Property NameDescriptionRequired?
crv (Curve)The cryptographic curve used with the key.Yes
x (X Coordinate)The x coordinate for the Elliptic Curve point represented as the base64url encoding of the octet string representation of the coordinate.Yes
y (Y Coordinate)The y coordinate for the Elliptic Curve point represented as the base64url encoding of the octet string representation of the coordinate.No
d (ECC Private Key)The Elliptic Curve private key value represented as the base64url encoding of the octet string representation of the private key value.No

Key Type: RSA

Property NameDescriptionRequired?
n (Modulus)The modulus value for the RSA public key represented as a Base64urlUInt-encoded value.Yes
e (Exponent)The exponent value for the RSA public key represented as a Base64urlUInt-encoded value.Yes
d (Private Exponent)The private exponent value for the RSA public key represented as a Base64urlUInt-encoded value.No
p (First Prime Factor)The first prime factor represented as a Base64urlUInt-encoded value.No
q (Second Prime Factor)The second prime factor represented as a Base64urlUInt-encoded value.No
dp (First Factor CRT Exponent)The Chinese Remainder Theorem (CRT) exponent of the first factor represented as a Base64urlUInt-encoded value.No
dq (Second Factor CRT Exponent)The CRT exponent of the second factor represented as a Base64urlUInt-encoded value.No
qi (First CRT Coefficient)The CRT coefficient of the second factor represented as a Base64urlUInt-encoded value.No
oth (Other Primes Info)Information about any third and subsequent primes, should the exist. Each new Prime added will provide users with new Prime Factor, Factor CRT Exponent, and Factor CRT Coefficient properties, all of which are required.No

Key Type: oct

Property NameDescriptionRequired?
k (Key Value)The value of the symmetric (or other single-values) key represented as the base64url encoding of the octet sequence containing the key value.Yes


Security Assertion Markup Language (SAML) Providers

The properties for Security Assertion Markup Language (SAML) are listed in the following tables. The values on many of these properties may require you to refer to information from your third-party IdP.

Importing Metadata from the Provider

This method is preferred because of its ease-of-use and accuracy. After importing, you will only need to add your client ID and secret manually.  (However you can revise the imported data if needed as well.)

Property NameDescription
Import from URLURL to the SAML Identity Provider Metadata document.
Import From FileFile must be an XML document which conforms to the SAML 2.0 metadata schema described in saml-metadata-2.0-os.


The SAML Service Provider (SP) metadata for an Ignition Gateway may be accessed at the following URL: http://<ipaddress>:<port>/data/saml/metadata/sp

The Assertion Consumer Service (ACS) URL for this Ignition Gateway is: http://<ipaddress>:<port>/data/federate/callback/saml

Both of these addresses assume you know the IP Address and port of your Ignition install. For example, if you are on the computer Ignition is installed on, you could use: http://localhost:8088/data/saml/metadata/sp for the SP metadata.

Configuring the Provider

Property NameDescriptionRequired?

Entity ID

The Identity Provider's Entity ID.Yes
Assertion Consumer Service (ACS) BindingThe expected binding used by the Identity Provider when interacting with Ignition's Assertion Consumer Service.Yes
Name ID FormatThe expected name ID format for subjects of assertions resulting from Authn Requests. Options are UNSPECIFIED, EMAIL_ADDRESS, X509_SUBJECT_NAME, WINDOWS_DOMAIN_QUALIFIED_NAME, KERBEROS_PRINCIPAL_NAME, ENTITY_IDENTIFIER, PERSISTENT_IDENTIFIER, TRANSIENT_IDENTIFIER.Yes
Single Sign-On (SSO) Service URL  The Identity Provider's Single Sign-On (SSO) Service URL.Yes
Single Sign-On (SSO) Service Binding *The binding Ignition will use for sending Authn Requests to the Identity Provider's Single Sign-On (SSO) Service.Yes
Force AuthnCheck this box to force complying Identity Providers to authenticate the user each time instead of relying on a previous security context. See section 3.4.1 of saml-core-2.0-os for more details.Yes
Validate Response SignaturesCheck this box to validate the signature of the response from the Identity Provider.Yes
Validate Assertion SignatureCheck this box if it is expected that assertions will be signed. Ignition will validate the signatures of each assertion.Yes
Signature Verifying KeysA list of signing key(s) that Ignition uses to validate signatures from the IdP.Yes
Signature Verifying CertificatesA base64-encoded DER PKIX certificate value.No

SAML Signature Verifying Key Configuration

Property NameDescriptionRequired?
Key AlgorithmThe algorithm identifier for this signature verifying key. Options are DSA, RSA, or EC.
Yes
Key ValueA base64-encoded DER key value.
Yes


IdP Examples and Troubleshooting

The OpenID Connect 1.0 Example page will show you how to configure an external IdP that used OpenID Connect 1.0 with your Ignition system.
Go to Troubleshooting Identity Providers for helpful examples to help you diagnose and troubleshoot issues with configuring IdPs.
Refer to SAML Example page for how to configure an Identity Provider that is using the SAML protocol


In This Section ...


  • No labels