Hi all -
Last night’s early access build includes support for badge-based authentication in the Ignition IdP.
You will now notice a couple new options in the Ignition IdP’s settings:
You can choose which authentication methods are enabled and which enabled method is presented as the default option to the user during authentication. Right now we have two authentication methods: (1) Username and Password and (2) Badge. If more than one method is enabled, the user will have the option to switch to one of the other methods during authentication.
For the badge authentication method, you can choose whether or not to require a password in addition to scanning their badge.
To enroll a badge to a user’s account, go to the
User, Roles section in the Gateway Config Web Interface, and click
Manage Users for the user source containing the user whose badge you’d like to enroll, and click
Edit to edit the user’s account.
You will notice a new
Badge text area. Either manually enter the user’s badge ID or focus in the text area and scan the badge to receive the badge ID automatically. Remove any new line characters trailing the badge ID before saving.
Badges may be enrolled for users in any user source profile type except for pure Active Directory. For those of you who use a AD / DB Hybrid or a DB in Manual Mode, you will notice new
Badge Authentication Query configuration. This must be set to a query which is able to return the appropriate user based on the incoming badge ID.
During authentication, the user will be prompted to scan their badge. The authentication web app listens for badge scans in the form of keyboard input. The signal for the end of input is the new line character, so be sure to configure your badge readers accordingly. The input buffer is automatically cleared after 1 second from the first input character allowing the user to try again if there was some problem during the scan.
Since a badge is just a string under the hood, it is not a very secure mode of authentication by itself. Consider additional layers of defense such as:
- Make sure SSL / TLS is set up and the force secure redirect option is enabled on the Gateway in order to mitigate MITM threats
- Requiring the user to enter their password in addition to the badge scan
- Restricting assigned security levels based on whitelisting the machines from which users may perform badge scanning using security zones. For example:
Corporatesecurity level may only get assigned if they used authentication method
Username and Passwordwhereas
Operatorsecurity level may be assigned if coming from Security Zone
Plant Floorusing any authentication method.
- Traditional physical security measures
Note: the capability in #3 above is still under development. We’ll provide more detail for how to access the authentication methods used in a security level rule once it is merged in.