Badge-based Authentication Support

Vision IdP support is pretty far out on the schedule right now - early 2021.

Hi,

@Kevin.Herron, can we have an update on the inclussion of badge support for Vision?

Also, any plans to include support for smartcards or an alternative solution for multi-factor authentication? If a system wants to achieve compliance with IEC-62443 at Security Level 4, MFA is a must.

Thanks,

Well it looks like IdP for Vision landed in 8.1.0 but I don’t know about any plans to support smartcards or alternative 2FA. I’ll find someone who might be more familiar with these project areas and get an answer. I suspect beyond what an IdP supports there isn’t much planned, though…

Hi,

Is the Badge login is applicable in the gateway or in Vision Client also available,

Am able to get the badge Login in Gateway but in Vision I am getting the normal login page only, wats the procedure to be followed for it?? any manual or settings you have please share it will be helpful

Yes. In the case of the Gateway Web Interface, make sure your System IdP setting (Config > Security > General) points to the IdP with badge based authentication enabled. In the case of the Vision Client, make sure the IdP auth strategy is set for the project and make sure the project’s IdP points to the IdP with badge based authentication enabled (Designer > Project Menu > Properties)

still am unable to get badgelogin in Vision launcher

Kindly check my settings also fyr

How to do Gateway WebInterface for Vision CLient kindly guide me for this also.

What version of Ignition are you running?

Your vision client is using the classic authentication strategy based on your first screen shot. You need to change this to the IdP authentication strategy. See: Vision Project Properties - Ignition User Manual 8.1 - Ignition Documentation

Ignition 8.1.3,Its Working, Thanks

Any Idea about this error?

I tried normal login. in the same settings am getting this error

Are there any exceptions in the gateway logs when this error occurs?

My Browser IE is having a Problem so i Changed Chrome as default browser then it was working thanks for your support…

I have had more than one user report this error this week on an IdP using badge authentication… Still have not been able to narrow it down enough to get support involved.

image

What version of Ignition are you on? Are there any exceptions in the Gateway logs when this error occurs?

Got it replicated… I am running 8.1.2. I can consistently get the error when the users roles is Null.

User Source Type: AD/Database Hybrid
IdP Type: Ignition

This might be slightly related to ticket 15007 where SSO is not working if the role list is Null. Might be that Null roles is causing issues after 8.1

Here is the corresponding error in gateway.FederationRoutes logger

java.lang.NullPointerException: null

at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:871)

at com.google.common.collect.SingletonImmutableSet.(SingletonImmutableSet.java:45)

at com.google.common.collect.ImmutableSet.of(ImmutableSet.java:84)

at com.google.common.collect.ImmutableSet.construct(ImmutableSet.java:166)

at com.google.common.collect.ImmutableSet.copyOf(ImmutableSet.java:269)

at java.base/java.util.Optional.map(Unknown Source)

at com.inductiveautomation.ignition.gateway.auth.mapper.attr.user.UserAttributeMapper.map(UserAttributeMapper.java:110)

at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapter.mapUser(IdpAdapter.java:123)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.onLoginResponseInternal(WebAuthSessionImpl.java:204)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.lambda$onLoginResponse$2(WebAuthSessionImpl.java:213)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.mdc(WebAuthSessionImpl.java:102)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.onLoginResponse(WebAuthSessionImpl.java:213)

at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterConfigRoutes$TestLoginWebAuthResponseHandler.handle(IdpAdapterConfigRoutes.java:297)

at com.inductiveautomation.ignition.gateway.auth.federation.FederationRoutes.callback(FederationRoutes.java:273)

at com.inductiveautomation.ignition.gateway.auth.federation.FederationRoutes$CrossSiteRouteHandler.handle(FederationRoutes.java:121)

at com.inductiveautomation.ignition.gateway.dataroutes.Route.service(Route.java:252)

at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupImpl.service(RouteGroupImpl.java:61)

at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupCollectionServlet.serviceInternal(RouteGroupCollectionServlet.java:54)

at com.inductiveautomation.ignition.gateway.dataroutes.AbstractRouteGroupServlet.service(AbstractRouteGroupServlet.java:38)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

at org.eclipse.jetty.servlet.ServletHolder$NotAsyncServlet.service(ServletHolder.java:1391)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:547)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:590)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1607)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1297)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1577)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1212)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)

at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.server.Server.handle(Server.java:500)

at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)

at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)

at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543)

at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398)

at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)

at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)

at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)

at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)

at java.base/java.lang.Thread.run(Unknown Source)

Hi I used a barcode scanner to scan the badge(TB790) in gateway web interface but am unable to login whether any other hardware or any modules reqd to do it…

Yep, based on that stack, your user(s) must have one or more null roles. These roles must be set in your Database - you could adjust your User Roles Query setting on the user source to filter out null values. At the IdP layer, as an extra safeguard, you could set your roles attribute mapper to an expression which calls runScript and have a jython script filter out None values from the collection of roles.

There is is… I thought it was returning no results at first, but it was pulling back NULL, I just swapped the DB query to return something other than NULL. No more 500 error.

1 Like

Take a look at this part of the first post in this thread:

As long as your barcode scanner can satisfy those requirements, you should be good.

I think this may be a feature request, but I’ll start with the question here in case it is already possible. We use Active Directory for authentication, and our badge information is stored as an attribute in AD. Is it possible to use “pure Active Directory” with an AD attribute rather than a query? We already have roles configured from AD, so it would require us to make fairly significant changes to try to move those roles into a separate database that we would query for the badge ID.

Just to be clear, I’m envisioning an extra field in the Advanced section for “Badge Attribute”.

1 Like

No - this is not currently possible, but we do have a ticket (IGN-4409) in our backlog to add a badge attribute and badge search filter (for badge based auth) to the Pure AD user source profile. I’ve linked this post to that thread.

2 Likes