Using Identity Providers
The first step in using Identity Providers is to configure them. For the steps for configuring Internal Ignition IdP, OpenID Connect 1.0, or Security Assertion Markup Language (SAML), go to Configuring Identity Providers.
Once an Identity Provider has been configured, there are a few things that can be done to test and adjust how it works. You can map the attributes that are returned in the IdP response document to more familiar user properties that are available to use within the project. You can add rules to custom security levels that determine when a user falls into the level. Overrides can be given to users in the form of User Grants, so that they are granted certain security levels regardless of the rules. Finally, you can test out the IdP by logging in with a user to confirm what is returned in the response document.
Auth Token Connection Recovery
The following feature is new in Ignition version 8.1.24
to check out the other new features
After logging into the IdP, a special auth token is generated with the session on the Gateway and is saved in the Designer and Vision Client instance memory after authenticating with an IdP. If a connection is lost and later recovered, Designers and Vision Client instances may securely resume their sessions without having to completely restart by passing the Gateway a valid auth token. Note that auth tokens are not included in Gateway Backups. Any existing auth tokens are cleared when a Gateway Backup is restored.
You can further configure auth tokens by adjusting settings that control the auth token lifecycle. To see these settings, make sure Identity Provider is selected as the Authentication Strategy as these settings do not apply to the Classic Authentication Strategy.
- User Inactivity Timeout: The number of minutes which must elapse before expiring a user's auth token due to inactivity caused by a disconnected session. Must be greater than zero. Default: 10 minutes.
- Time-To-Live (TTL): The maximum number of minutes a user's auth token may exist before it expires. If set to any number less than or equal to zero, auth tokens will not expire, as long as the auth token has not expired due to inactivity. Default: 0 minutes (does not expire).
For Designer Auth Tokens, these settings can be found on the Gateway General Security Settings page by navigating to Gateway > Config > Security > General.
For Vision Client auth tokens, these settings can be found in the Designer by opening the Project Menu, selecting Project Properties and navigating to Vision > Login.
When redundancy is enabled, Vision Client auth tokens are synchronized from the Master to the Backup so that IdP-authenticated Vision Client sessions may be resumed seamlessly during failover by using an auth token.