Our end goal is that we want to create Active Directory groups and use that for how people login to Ignition/perspective projects.
Right now, we have an Identity Provider set up and that is how we login to a gateway/project. It just uses an app registration in Azure to sign in.
For example, we may have an AD group named "Ignition_Administrators" and the users in that group would have full access to everything in Ignition with a role. Another AD group could be "Ignition_Read" and the users in that would have a role that can view certain areas but have pretty limited access.
The example is simple now, but we would have a bunch of AD groups that limit access to certain projects and limit what you can change/add on a gateway.
My final question is, how would we go about doing this? I was thinking we would have to create a new Active Directory user source, but I know we can also get the list of roles a user is in in the identity provider and make user mappings to the roles. Just don't know if it is easier and better to do it in a user source instead
If you're using Perspective, you must use an identity provider, but when using the internal IdP, you can tie it to any user source you want, and like you mentioned, map the groups/roles. This is how I've done it in the past and it works well. You just need to set up the permissions appropriately for your various groups/roles.
I second @michael.flagler's recommendation. I would also create Security Level Roles (which correlate 1:1 with AD groups), then map those AD groups to Ignition roles. This adds a layer of management, but also several other forward-thinking benefits (multiple IDPs & user sources can share the same Security Levels, easier to filter & display the list of roles that a user is granted within Ignition, etc.). An example config:
Create Security Level Roles that are meaningful for your project organization.
User Source: Active Directory
Ensure User Role Attribute is mapped correctly (default = memberOf).
IDP: Ignition
Ensure User Attribute Mapping @ Roles is configured correctly (Type=Direct, Source=ID Token Claims, path=Roles).
Set up Security Level Rules to match your AD groups. For example, a Security Level of "Area1/Facility1/View" might contain the expression: