Identity Provider Authentication Workflow
The following diagram illustrates how IdP authentication works.
- User make a login attempt to the Gateway, a Perspective Session, or a Vision Client.
- Ignition sees that IdP authentication is required.
- Ignition redirects the User to Identity Provider for authentication of their credentials:
- IdP Authenticates the User: The IdP prompts the user with a security challenge, such as requesting a username and password. The extent of the challenge depends entirely on the provider, but many providers may offer support for multi-factor authentication (MFA).
- User Responds: The user correctly responds to the security challenge.
- Redirect back to Ignition: If the IdP successfully validates the user, it will redirect the user back to the Perspective Session. Some IdPs may have an additional workflow they will guide the user through, such as re-verifying an email address or replacing an expired password. The IdP will also return information about that user to the Session. This provides some context about the user that the Session can use to assign Security Levels.
- Update the User's Security Level: Once back at the session, the user will be mapped to the specified Security Level, giving the user access to the restricted action.
Using Identity Providers
The first step in using Identity Providers is to configure them. For the steps for configuring Internal Ignition IdP, OpenID Connect 1.0, or Security Assertion Markup Language (SAML), go to Configuring Identity Providers.
Once an Identity Provider has been configured, there are a few things that can be done to test and adjust how it works. You can map the attributes that are returned in the IdP response document to more familiar user properties that are available to use within the project. You can add rules to custom security levels that determine when a user falls into the level. Overrides can be given to users in the form of User Grants, so that they are granted certain security levels regardless of the rules. Finally, you can test out the IdP by logging in with a user to confirm what is returned in the response document.