8.1.17 SSO login no longer working

Hello,

We upgraded from 8.1.14 to 8.1.17 today. The first thing I noticed is that users are no longer automatically logged into Vision projects via SSO. The credentials still work when entered manually, so the AD connection is still working. Enable SSO login is still checked in the projects.

Is there something that can be done to resolve this?

Thanks,

image

Here is the response I got from the Ignition team:

SSO for AD user sources has been forcefully disabled as of 8.1.17 due to a security vulnerability. Unfortunately for now, it is much better to have SSO disabled until a permanent fix is released in a later version (TBD).

(Some) more details here:

We’ll have a longer form blog post explaining things in depth up soon.

1 Like

@PGriffith
I’m reading the post at https://support.inductiveautomation.com/hc/en-us/articles/5979279808397-Active-Directory-SSO-Disabled-for-8-1-17-7-9-20-

Do you know if this is a temporary situation, or one that is more long term? That way we can let our customers know that might be interested in upgrading… ie upgrade to 8.1.17 or wait for another version or two for this to be corrected.

1 Like

This will not be a quick fix, and it’s a serious security issue, so I’d get them used to the idea it’s gone.

That’s the way I read it… we have one customer that uses this extensively, so I’ll let them know that you can re-enable, it’s just insecure.

For their part though… they are pretty isolated from forward facing systems so about the only attack surface they have is in plant. And if you are there you already can make a mess.

Also, in case it’s not clear, SSO still works, as in - you can still sign in using your AD credentials - but automatic sign in is disabled. You will have to have to put in your username / password.

Yeah… that’s the part they like. They want the operator to just sign onto the PC and then launch Vision and it automagically works. Unfortunately it’s one of those things that will break the operators brain if it changes. :smiley: