Badge-based Authentication Support

I think this is the same as conventional SSO? (Once you have your AD user source set up on your gateway, within Designer go to: Project->Project Properties->Login-> Enable SSO Login)
I think once you are logged on to your Windows account, Ignition shouldn’t care how you originally authenticated.

Just to add - badge-based authentication is a feature available in Ignition IdPs. Vision does not yet support IdP-based (federated) authentication.

Any idea on anticipated timing for badge support in vision?

1 Like

Vision IdP support is pretty far out on the schedule right now - early 2021.

Hi,

@Kevin.Herron, can we have an update on the inclussion of badge support for Vision?

Also, any plans to include support for smartcards or an alternative solution for multi-factor authentication? If a system wants to achieve compliance with IEC-62443 at Security Level 4, MFA is a must.

Thanks,

Well it looks like IdP for Vision landed in 8.1.0 but I don’t know about any plans to support smartcards or alternative 2FA. I’ll find someone who might be more familiar with these project areas and get an answer. I suspect beyond what an IdP supports there isn’t much planned, though…

Hi,

Is the Badge login is applicable in the gateway or in Vision Client also available,

Am able to get the badge Login in Gateway but in Vision I am getting the normal login page only, wats the procedure to be followed for it?? any manual or settings you have please share it will be helpful

Yes. In the case of the Gateway Web Interface, make sure your System IdP setting (Config > Security > General) points to the IdP with badge based authentication enabled. In the case of the Vision Client, make sure the IdP auth strategy is set for the project and make sure the project's IdP points to the IdP with badge based authentication enabled (Designer > Project Menu > Properties)

still am unable to get badgelogin in Vision launcher

Kindly check my settings also fyr

How to do Gateway WebInterface for Vision CLient kindly guide me for this also.

What version of Ignition are you running?

Your vision client is using the classic authentication strategy based on your first screen shot. You need to change this to the IdP authentication strategy. See: Vision Project Properties - Ignition User Manual 8.1 - Ignition Documentation

Ignition 8.1.3,Its Working, Thanks

Any Idea about this error?

I tried normal login. in the same settings am getting this error

Are there any exceptions in the gateway logs when this error occurs?

My Browser IE is having a Problem so i Changed Chrome as default browser then it was working thanks for your support…

I have had more than one user report this error this week on an IdP using badge authentication… Still have not been able to narrow it down enough to get support involved.

image

What version of Ignition are you on? Are there any exceptions in the Gateway logs when this error occurs?

Got it replicated… I am running 8.1.2. I can consistently get the error when the users roles is Null.

User Source Type: AD/Database Hybrid
IdP Type: Ignition

This might be slightly related to ticket 15007 where SSO is not working if the role list is Null. Might be that Null roles is causing issues after 8.1

Here is the corresponding error in gateway.FederationRoutes logger

java.lang.NullPointerException: null

at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:871)

at com.google.common.collect.SingletonImmutableSet.(SingletonImmutableSet.java:45)

at com.google.common.collect.ImmutableSet.of(ImmutableSet.java:84)

at com.google.common.collect.ImmutableSet.construct(ImmutableSet.java:166)

at com.google.common.collect.ImmutableSet.copyOf(ImmutableSet.java:269)

at java.base/java.util.Optional.map(Unknown Source)

at com.inductiveautomation.ignition.gateway.auth.mapper.attr.user.UserAttributeMapper.map(UserAttributeMapper.java:110)

at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapter.mapUser(IdpAdapter.java:123)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.onLoginResponseInternal(WebAuthSessionImpl.java:204)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.lambda$onLoginResponse$2(WebAuthSessionImpl.java:213)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.mdc(WebAuthSessionImpl.java:102)

at com.inductiveautomation.ignition.gateway.auth.idp.WebAuthSessionImpl.onLoginResponse(WebAuthSessionImpl.java:213)

at com.inductiveautomation.ignition.gateway.auth.idp.IdpAdapterConfigRoutes$TestLoginWebAuthResponseHandler.handle(IdpAdapterConfigRoutes.java:297)

at com.inductiveautomation.ignition.gateway.auth.federation.FederationRoutes.callback(FederationRoutes.java:273)

at com.inductiveautomation.ignition.gateway.auth.federation.FederationRoutes$CrossSiteRouteHandler.handle(FederationRoutes.java:121)

at com.inductiveautomation.ignition.gateway.dataroutes.Route.service(Route.java:252)

at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupImpl.service(RouteGroupImpl.java:61)

at com.inductiveautomation.ignition.gateway.dataroutes.RouteGroupCollectionServlet.serviceInternal(RouteGroupCollectionServlet.java:54)

at com.inductiveautomation.ignition.gateway.dataroutes.AbstractRouteGroupServlet.service(AbstractRouteGroupServlet.java:38)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)

at org.eclipse.jetty.servlet.ServletHolder$NotAsyncServlet.service(ServletHolder.java:1391)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:760)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:547)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)

at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:590)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1607)

at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1297)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:485)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1577)

at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1212)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.rewrite.handler.RewriteHandler.handle(RewriteHandler.java:322)

at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:59)

at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)

at org.eclipse.jetty.server.Server.handle(Server.java:500)

at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:383)

at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:547)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:375)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:270)

at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)

at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:543)

at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:398)

at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)

at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)

at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)

at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)

at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:388)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:806)

at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:938)

at java.base/java.lang.Thread.run(Unknown Source)

Hi I used a barcode scanner to scan the badge(TB790) in gateway web interface but am unable to login whether any other hardware or any modules reqd to do it…

Yep, based on that stack, your user(s) must have one or more null roles. These roles must be set in your Database - you could adjust your User Roles Query setting on the user source to filter out null values. At the IdP layer, as an extra safeguard, you could set your roles attribute mapper to an expression which calls runScript and have a jython script filter out None values from the collection of roles.

There is is... I thought it was returning no results at first, but it was pulling back NULL, I just swapped the DB query to return something other than NULL. No more 500 error.

1 Like