We are interested in enabling SSO for our Perspective projects, similar to this post.
The Goals:
- To allow Perspective projects to be visited by end users without them being prompted for credentials (if they are in the proper role(s) of course).
- To allow the Designer to be launched by a developer without being prompted for credentials.
What we’ve done:
- Set up an Active Directory Identity Provider (Config > Security > Identity Providers)
- Set up an Active Directory User Source (Config > Security > Users,Roles)
- Turned on “SSO Enabled”
- Populated “SSO Domain”
- Turned on “Allow Designer SSO” (Config > Security > General)
- Turned off “Always ask the IdP to re-authenticate users by default” (Config > Security > General > System Identity Provider)
- We even tried turning on the “Enable SSO Login” (Project Properties > Vision > Login > SSO Login), understanding that this should have no bearing on a Perspective project.
The Results (from the Goals section):
#1 No matter what we’ve tried, we are still presented with login dialogs when navigating to Perspective projects in a browser.
#2 This works as desired.
For #1. Have we missed something? Does Perspective not support what we are attempting?
It sounds like you want to login to your windows computer as user X, open your browser, navigate to Perspective, and recognize that you are logged in as X. If that’s the case, then no, it is not possible at this time using the internal Ignition IdP. You’d have to look for another IdP to perform this capability, perhaps ADFS.
I suspected this might be the case. Thanks Joel.
Keep in mind, this doesn't work with IdP, this setting is only for regular user sources...
Thanks Ryan.
So, our existing user source is an AD store, and enabling “Allow Designer SSO” currently allows developers to launch the designer without entering creds - as desired. The next hurdle is to allow SSO from an end-user standpoint - visiting a Perspective project and having a SAML endpoint authenticate them.
Assume you are using “classic”? Once switching to IdP auth for designer, I think SSO breaks as it essentially behaves the same way as perspective in the designer.
That is correct. We are using “Classic” currently. I would think that we should be able to leave this as-is, going against the “System User Source” which is our AD store.
In order to authenticate end-users (Perspective clients) via SSO, it sounds like we will need to add a new “Security Assertion Markup Language 2.0” Identity Provider. Are you saying that, because we would also need to change the “System Identity Provider” to this new SAML provider, the SSO on the Designer Launcher would fail, or require manual login?
Yes, you want to setup a direct IdP against your auth source. We using Office365 so have OpenID against Azure for our IdP, then for designer and vision auth, use our local AD/LDAP. Its the same users except different auth mechanisms. What kind of IdP depends on your environment and IT stuff.
Considering my browser is always auth’d to Office356, at most I need to do is click “login” and everything else is SSO, then I am dumped into Perspective or the Gateway. Its fairly seamless.