Not sure if this is already fixed, but I’ve noticed that that auto logout feature doesn’t really work as intended. It auto logs the user “out” in that in the session it shows up as unauthenticated, however it you go to log in again, you get logged back in as the previous user (as long as you’re within the user login timeout period set by the IdP).
I have that enable and it’s still not logging the previous user out. Even when I close the session and open a new one from designer. When I hit the back navigation button to go to the login screen, use a different login, it just takes me back to the start up screen signed in as the previous user.
FWIW, I see the following behavior in our perspectiva apps:
On your personal machine SSO is always used no matter what Ignition setting are
On public “kiosk” machines those settings do work and prompt the user to enter their username and password each time.
One thing to be cautious of in chrome are these settings. For our kiosk machines we have turned them both to “false” but anyone savvy enough can easily turn them back on.
The reauthentication is enabled on the gateway level, I turned the auto sign-in off on chrome and it’s still doing it. I appreciate you looking into this.
I’m assuming the “auto logout” feature here is Perspective’s inactivity timeout. In response to the OP: it is working as intended. We never designed it to log you out of the IdP when timing out of the Perspective session. That could get really annoying if you have two different projects using the same IdP. Maybe you are active on one project, but inactive on the other.
For example: let’s say we have three Perspective Projects: Project A, B, and C, and each times out after 15 mins of inactivity and is set to log out of the Perspective session at that point. Let’s say the IdP is set to log the user out of its session after 30 mins of inactivity. Let’s say you log into Project A, which requires logging into the IdP. After a few minutes, you log into Project B, which uses the IdP session established by Project A, so you didn’t have to enter credentials to sign into Project B. Let’s say you do work on Project B for 20 mins. Project A went inactive and logs out. Now let’s say you try to open up Project C. If Project A’s inactivity timeout logged you out of the IdP, you’d have to re-enter credentials again, even though the IdP’s 30 minute timeout hasn’t fully elapsed.
Like @nicholas.robinson mentioned - you could enable the “Always ask the IdP to re-authenticate users by default” setting on the project (or system). This will force users to re-enter credentials on the IdP every time they wish to log into Perspective (or any other IdP client app). So if Perspective logs the user out of its session due to inactivity, the next time the user tries to log into the project, they have to re-enter credentials. The downside is: users will not get the convenience of being “remembered” in their browser session, thus bypassing the credential validation step(s).
@Kevin_Rice - which IdP are you using? what do your settings look like in Gateway Web Interface > Config > Security > General? what do your settings look like in your Perspective Project’s Properties (Designer Project Menu > Properties > Project > General)?
We use “Always ask the IdP to re-authenticate users by default” on public kiosk machines that have features such as machine control along with asking the browser not to remember passwords.
This helps ensure that someone cannot accidentally get into somewhere they should not be using a stored password/security context and that when someone logs into perform machine control it is a purposely deliberate set of steps.