Badge-based Authentication Support

#1

Hi all -

Last night’s early access build includes support for badge-based authentication in the Ignition IdP.

You will now notice a couple new options in the Ignition IdP’s settings:

You can choose which authentication methods are enabled and which enabled method is presented as the default option to the user during authentication. Right now we have two authentication methods: (1) Username and Password and (2) Badge. If more than one method is enabled, the user will have the option to switch to one of the other methods during authentication.

For the badge authentication method, you can choose whether or not to require a password in addition to scanning their badge.

To enroll a badge to a user’s account, go to the User, Roles section in the Gateway Config Web Interface, and click Manage Users for the user source containing the user whose badge you’d like to enroll, and click Edit to edit the user’s account.

You will notice a new Badge text area. Either manually enter the user’s badge ID or focus in the text area and scan the badge to receive the badge ID automatically. Remove any new line characters trailing the badge ID before saving.

Badges may be enrolled for users in any user source profile type except for pure Active Directory. For those of you who use a AD / DB Hybrid or a DB in Manual Mode, you will notice new Badge Authentication Query configuration. This must be set to a query which is able to return the appropriate user based on the incoming badge ID.

During authentication, the user will be prompted to scan their badge. The authentication web app listens for badge scans in the form of keyboard input. The signal for the end of input is the new line character, so be sure to configure your badge readers accordingly. The input buffer is automatically cleared after 1 second from the first input character allowing the user to try again if there was some problem during the scan.

Security Considerations

Since a badge is just a string under the hood, it is not a very secure mode of authentication by itself. Consider additional layers of defense such as:

  1. Make sure SSL / TLS is set up and the force secure redirect option is enabled on the Gateway in order to mitigate MITM threats
  2. Requiring the user to enter their password in addition to the badge scan
  3. Restricting assigned security levels based on whitelisting the machines from which users may perform badge scanning using security zones. For example: Corporate security level may only get assigned if they used authentication method Username and Password whereas Operator security level may be assigned if coming from Security Zone Plant Floor using any authentication method.
  4. Traditional physical security measures

Note: the capability in #3 above is still under development. We’ll provide more detail for how to access the authentication methods used in a security level rule once it is merged in.

5 Likes

[FEATURE-14405] RFID Authentication
pinned #2
0 Likes

Nightly Changelogs
#3

Is it possible to use the system.user functions to add badge info to an existing or when creating a new user?

0 Likes

#4

Hi @apgilber -

Yes, I had success with the following:

Edit exiting user:

user = system.user.getUser('SomeUserSource', 'SomeUser')
user.set('Badge', '12345')
system.user.editUser('SomeUserSource', user)

New user:

user = system.user.getNewUser('SomeUserSource', 'SomeUser')
user.set('Badge', '12345')
system.user.addUser('SomeUserSource', user)
0 Likes

#5

Awesome. Also just FYI when creating a new user in the manage users page and then scanning a badge and clicking Add User does not save the badge input. You have to go back in after it the user is created and add the badge again. At least with scanning. I didn’t try manually typing it in.

0 Likes

#6

Hi @apgilber -

Thanks for reporting this issue - I have replicated the problem myself, found the root cause, and filed a bug report (ticket ID 14976).

0 Likes

#7

Is it possible to use the badge based authorization with Vision?

0 Likes

#8

Hi @pat.stave1 -

There is no first-class support for badge based authentication in Vision at this time. Once we make Vision IdP-aware, you will get badge authentication capabilities as a part of the Ignition IdP.

0 Likes

#9

Circling back to the above - the next Early Access build will add a new attribute to the Ignition IdP’s response called amr (in order to align with the amr ID token claim in the OpenID Connect 1.0 spec since the Ignition IdP uses OIDC 1.0 under the hood).

If the user passed a username and password challenge, amr is set to: ["uname", "pwd"]
If the user passed a badge challenge, amr is set to: ["badge"]
If the user passed a badge and password challenge, amr is set to: ["badge", "pwd"]

In a security level rule, you can now do something like this:

containsAll({idp-attributes:amr}, 'uname', 'pwd')

1 Like