This section provides an example of how to connect an Identity Provider that is using the SAML protocol. This example uses the Okta IdP service. Your IdP vendor may differ and the specific links will differ.

Prerequisites

Before you begin configuring Ignition there are some preliminary requirements that need to be done outside of Ignition:

  • A configured remote IdP (Okta in this example)
  • The metadata file specific to your IdP
  • The scope data specific to your IdP
  • Login credentials to use as a test

On this page ...

Configured IdP

An IT department is usually the one to set up and configure a remote IdP.  You need a configured remote IdP that is compatible with SAML protocol.  

At minimum there needs to be an account set up with the IdP, users added to the IdP account, and applications added to the IdP.

Metadata File

You will need the metadata file specific to your IdP. This document defines how to communicate with the IdP.  It is usually a web page that allows the metadata file to be exported to an XML file.
You will need the URL link to this page or an XML export of this page. For example, the metadata import URL may look like something like this:

https://dev-123456.okta.com/app/esdfsdf7886sd6723hjkdf/sso/saml/metadata


Here is an example of part of a metadata file for Okta.  Notice that file is XML format. You can use the file or the URL to automatically import the configuration into Ignition. Otherwise it will need to be manually typed in.

Test Login Credentials

You need an account specific to the IdP for testing purposes (Okta in this example). To test and verify the IdP account, login to your IdP. For our example, the Okta login page is shown here:

You should now have a IdP credentials to test with, a metadata URL or metadata XML file. The next step is to configure Ignition to communicate with your IdP. 


Configure Ignition Gateway

  1. On the Gateway Webpage, click on the Config tab. You will need to log in if you aren't already.
  2. Under the Security section, click on Identity Providers. The Identity Providers screen is displayed. This screen will list all IdPs that have been configured. You can filter by name or adjust the number of IdPs displayed per page in the view. 


  3. Click on the Create a New Identity Provider... link.



  4. Select the  Security Assertion Markup Language 2.0 option and click Next.



  5. On the Basic Details screen, provide an Provider Name. You can also add an Provider Description if desired. The Provider Type field will fill in automatically from the previous screen.


  6. The next section is Import Provider Metadata. In the Import from URL section, enter in the URL from earlier specific to your IdP. You can also import a file below if it was provided by your IT department.
  7. Click on the Import button.  




  8. Ignition will now generate a URI redirect address for your Ignition server. It is listed just below the “Import Provider Metadata” area of the configuration page.
    In our example it is http://10.10.110.86:8088/data/federate/callback/saml. You need to provide this URI to your IdP (usually this means giving it to your IT department).

    Note: The URI should be a web address that is accessible from the IdP server.


  9. Once you have given your IT department the redirect address, they can add your Ignition server as an application to the IdP.

    Note: The IdP can use the same redirect address for the Login, Logout, and Initiate Login.

  10. The next section is Provider Configuration. Most of the fields below should now be filled in when you imported the IdP Metadata.



  11. Press the Save button at the bottom right of the page.  You'll see a confirmation message. 



  12. The next step is to perform a test login. From the Identity Providers screen, select More and then Test Login.
  13. You will be re-directed to the Okta login.  Enter in your test login credentials and click the Sign In button.



  14. If the login is successful, you will be returned to the Identity Provider Test Login screen. The returned results will be displayed in the Results section.





  • No labels