8.1.17 SSO login no longer working

Rusty · May 13, 2022, 2:17pm

Hello,

We upgraded from 8.1.14 to 8.1.17 today. The first thing I noticed is that users are no longer automatically logged into Vision projects via SSO. The credentials still work when entered manually, so the AD connection is still working. Enable SSO login is still checked in the projects.

Is there something that can be done to resolve this?

Thanks,

Rusty · May 13, 2022, 4:01pm

Here is the response I got from the Ignition team:

SSO for AD user sources has been forcefully disabled as of 8.1.17 due to a security vulnerability. Unfortunately for now, it is much better to have SSO disabled until a permanent fix is released in a later version (TBD).

PGriffith · May 13, 2022, 4:32pm

(Some) more details here:

We’ll have a longer form blog post explaining things in depth up soon.

bschroeder · May 18, 2022, 12:37pm

@PGriffith
I’m reading the post at https://support.inductiveautomation.com/hc/en-us/articles/5979279808397-Active-Directory-SSO-Disabled-for-8-1-17-7-9-20-

Do you know if this is a temporary situation, or one that is more long term? That way we can let our customers know that might be interested in upgrading… ie upgrade to 8.1.17 or wait for another version or two for this to be corrected.

Kevin.Herron · May 18, 2022, 12:38pm

This will not be a quick fix, and it’s a serious security issue, so I’d get them used to the idea it’s gone.

bschroeder · May 18, 2022, 12:39pm

That’s the way I read it… we have one customer that uses this extensively, so I’ll let them know that you can re-enable, it’s just insecure.

For their part though… they are pretty isolated from forward facing systems so about the only attack surface they have is in plant. And if you are there you already can make a mess.

Kevin.Herron · May 18, 2022, 12:41pm

Also, in case it’s not clear, SSO still works, as in - you can still sign in using your AD credentials - but automatic sign in is disabled. You will have to have to put in your username / password.

bschroeder · May 18, 2022, 12:47pm

Yeah… that’s the part they like. They want the operator to just sign onto the PC and then launch Vision and it automagically works. Unfortunately it’s one of those things that will break the operators brain if it changes.

Urvish_Mehta · April 4, 2023, 8:52pm

I see its almost a year to this response. Any idea how other customers are achieving this functionality? I want to setup autologins for each clients with different login creds.

Kevin.Herron · April 4, 2023, 8:59pm

I suspect anybody who still has automatic sign in working, and isn't running an old version, has opted back into the insecure implementation using the system property mentioned in that KB article.

Kerberos-based AD SSO support is still an incubation/research task in a backlog. There is no estimated date for this functionality.