I feel like I might be missing something here. I have an AD/Internal user source created that I can verify as a user source an get user attributes from. I have also created an IdP that uses the AD/Internal as a User Source, have a Security Level defined, user grants set for a user and roles set for that user on the provider. I try to do a Test Login, or login through perspective and when I put in the correct user information I end up with an unauthenticated user with a return that says “No IdP Response Data” when trying the Test Login from the IdP configuration page. Is this a configuration issue on my end in user attribute mapping or some other place?
I will note that I have the same configuration for an IdP that uses an internal Ignition User source that seems to work.
Could be an attribute mapping misconfiguration for the user name or id attribute. Try setting the gateway.WebAuthSessionImpl and gateway.IdpAdapter logs to debug and login again to see if anything more useful prints to the logs.
Log on the WebAuthSessionImpl:
Unable to parse the WebAuthResponse from the HTTP request
Caused by: com.inductiveautomation.ignition.gateway.auth.web.strategy.WebAuthStrategyException: Unable to exchange the auth code for the token
Caused by: com.inductiveautomation.ignition.gateway.auth.oidc.client.service.OIDCClientServiceException: Problem getting the token
Caused by: com.inductiveautomation.ignition.gateway.auth.oidc.provider.service.OIDCProviderServiceException: Unable to generate token
Caused by: java.lang.IllegalStateException: User source profile ‘5’ missing user with id 'greenc
If you go to your AD / Hybrid user source in the Users, Roles section of the gateway config web interface, and click on manage users, does user greenc show up on that list?
It appears as though ‘greenc’ needs to be ‘GreenC’ for this to work. I am able to use greenc and put in a password and it navigates me back to the project view from there, but unless I use ‘GreenC’ with the caps in place, the IdP fails. Is this a bug or do I need to enforce something when people are typing in their username?
Ah that explains it.
It appears that during authentication, the username is case insensitive, but when we perform the redirect back to the application (in this case, test login), we are performing a case sensitive lookup of the user’s information to fill in the attribute mapper and that lookup is based on how the user entered their username in the login form (in a case-sensitive fashion).
I’m going to mark this as a bug on our side. We’ll figure out a better way to handle this.
Thanks for sharing the issue.
This issue was fixed in the build uploaded today (4/10).
Normally we have the nightly builds accessible via https://inductiveautomation.com/downloads/ignition, but in the meantime you can find it via this post:
8.0.1 Nightlies - Temporary Place to Download the Latest Builds
Let us know if you have any issues.