Badge-based Authentication Support

Hi all -

Last night’s early access build includes support for badge-based authentication in the Ignition IdP.

You will now notice a couple new options in the Ignition IdP’s settings:

You can choose which authentication methods are enabled and which enabled method is presented as the default option to the user during authentication. Right now we have two authentication methods: (1) Username and Password and (2) Badge. If more than one method is enabled, the user will have the option to switch to one of the other methods during authentication.

For the badge authentication method, you can choose whether or not to require a password in addition to scanning their badge.

To enroll a badge to a user’s account, go to the User, Roles section in the Gateway Config Web Interface, and click Manage Users for the user source containing the user whose badge you’d like to enroll, and click Edit to edit the user’s account.

You will notice a new Badge text area. Either manually enter the user’s badge ID or focus in the text area and scan the badge to receive the badge ID automatically. Remove any new line characters trailing the badge ID before saving.

Badges may be enrolled for users in any user source profile type except for pure Active Directory. For those of you who use a AD / DB Hybrid or a DB in Manual Mode, you will notice new Badge Authentication Query configuration. This must be set to a query which is able to return the appropriate user based on the incoming badge ID.

During authentication, the user will be prompted to scan their badge. The authentication web app listens for badge scans in the form of keyboard input. The signal for the end of input is the new line character, so be sure to configure your badge readers accordingly. The input buffer is automatically cleared after 1 second from the first input character allowing the user to try again if there was some problem during the scan.

Security Considerations

Since a badge is just a string under the hood, it is not a very secure mode of authentication by itself. Consider additional layers of defense such as:

  1. Make sure SSL / TLS is set up and the force secure redirect option is enabled on the Gateway in order to mitigate MITM threats
  2. Requiring the user to enter their password in addition to the badge scan
  3. Restricting assigned security levels based on whitelisting the machines from which users may perform badge scanning using security zones. For example: Corporate security level may only get assigned if they used authentication method Username and Password whereas Operator security level may be assigned if coming from Security Zone Plant Floor using any authentication method.
  4. Traditional physical security measures

Note: the capability in #3 above is still under development. We’ll provide more detail for how to access the authentication methods used in a security level rule once it is merged in.

6 Likes

Is it possible to use the system.user functions to add badge info to an existing or when creating a new user?

Hi @apgilber -

Yes, I had success with the following:

Edit exiting user:

user = system.user.getUser('SomeUserSource', 'SomeUser')
user.set('Badge', '12345')
system.user.editUser('SomeUserSource', user)

New user:

user = system.user.getNewUser('SomeUserSource', 'SomeUser')
user.set('Badge', '12345')
system.user.addUser('SomeUserSource', user)

Awesome. Also just FYI when creating a new user in the manage users page and then scanning a badge and clicking Add User does not save the badge input. You have to go back in after it the user is created and add the badge again. At least with scanning. I didn’t try manually typing it in.

Hi @apgilber -

Thanks for reporting this issue - I have replicated the problem myself, found the root cause, and filed a bug report (ticket ID 14976).

Is it possible to use the badge based authorization with Vision?

Hi @pat.stave1 -

There is no first-class support for badge based authentication in Vision at this time. Once we make Vision IdP-aware, you will get badge authentication capabilities as a part of the Ignition IdP.

Circling back to the above - the next Early Access build will add a new attribute to the Ignition IdP's response called amr (in order to align with the amr ID token claim in the OpenID Connect 1.0 spec since the Ignition IdP uses OIDC 1.0 under the hood).

If the user passed a username and password challenge, amr is set to: ["uname", "pwd"]
If the user passed a badge challenge, amr is set to: ["badge"]
If the user passed a badge and password challenge, amr is set to: ["badge", "pwd"]

In a security level rule, you can now do something like this:

containsAll({idp-attributes:amr}, 'uname', 'pwd')

2 Likes

This issue (14976) is fixed in the latest 8.0.5 nightly build.

Dear Joel,
just a feedback regarding the badge authentication from the pilot project. I tried with the build of September 25th: the login with badge works fine, the login with badge + password is ok, the login with badge + security code fails.

Have you news about the latest fixes?

Best regards,
Andrea

Hi @andrea.morando -

There are only three possible authentication method combinations possible right now:

  1. Username and Password
  2. Badge
  3. Badge and Password

You mention that 2 and 3 are working, but I am not sure what you mean by “badge + security code”. Could you give more detail?

Hi Joel,
I mean the combination of Badge and Security PIN. I understood the PIN could be the right one for our needs. Am I wrong?
Thanks.

Hi @andrea.morando -

We do not have support for a distinct PIN code. You could set the user’s password as their PIN as a workaround.

Ok Joel, it is clear.
What do you intend the Security Pin for?

Thank you.

Security Pin is optionally required by the Voice Notification Module to acknowledge alarms.

1 Like

Thank you so much, Kevin.

Just tested on the 8.0.5 Release! Works great. Tested with RFIDeas PC prox plus and HID Prox : RDR-608X Compatible Card

3 Likes

For users that are required to use a badge + PIN to login to the Windows environment first, can SSO be used to access a Vision client? Our current login process requires that we login to our laptops using our badge + PIN, and then we need to login to our vision client with a different userID + password. If SSO could leverage our existing badge + PIN login to negate that second login, that would be great.