External identify provdier (idP) - Initiate authentication and roles

Hi All,

We have set up an external idP (Auth0) for our Perspective sessions.

The login process is now:

  1. Initiate authentication from the common login project by clicking “Login”
  2. Enter credentials as Auth0 login page
    → The system them automatically forwards the user to user’s defined project.

Then I have 3 questions.

  • Is it possible to change the design of the Ignition login page?
  • Is it possible to skip pressing login at step 1, and have the authentication started with no user input?
    I understand its not possible to initiate authentication directly.
  • How does Roles work with external idP? I set required Client role to “admin” but could still login from Auth0, even if these users does not have any admin rights.

Thanks, and I would like to wish you all a happy new year.

Check out this thread... [FEATURE-1402] Perspective "autologin" IdP

Client Roles only apply to User Sources. Also, AFAIK, the "Required Roles Setting" only applies to Vision Clients... its really in the wrong section of the Project Properties, but has been in that spot for ~10 years...

For Perspective, you want Perspective > Permissions in the project properties. That will control login to Perspective.

Hi Ryan,

Thanks for the input. Under “Perspective / Permissions”, “Roles” and “match all” has been selected.

I can still login from auth0.

Did you select some roles? If Public is selected, anyone can Login…

Security in Perspective - Ignition User Manual 8.1 - Ignition Documentation (inductiveautomation.com)

If we set Security levels none is allowed in, even when the auth0 user has role “admin” assigned.

Did you test your IdP from the GW to make sure its retuning as expected?

image

We are on to something here.

The test login idP Response data from Auth0 is not including roles. Will look into it. :slight_smile:

2 Likes

Looking at the Raw JSON that Auth0 sends and the Ignition idP test data there is a big difference. Name and user name is mapped to attribut “sub”, that is nowhere to be found in the Auth0 output.

Is Ignition doing its own filtering and altering the input?

Sounds like you need to play with your User Attribute Mapping to get the fields aligned to your IdP…

https://docs.inductiveautomation.com/display/DOC81/User+Attribute+Mapping

Custom namespace-prefixed attribute is now being passed successfully into the Test IdP area:

{
  "tokenEndpointResponse": { /* snipped */ },
  "idTokenClaims": {
    "https://custom.url.here/roles": [
      "Demo"
    ],
    "sub": "etc",
    // snipped
  }
}

However inside the user attribute mapping, a direct mapping for “https://custom.url.here/roles” doesn’t seem to map anything. The rest of the attributes (given_name, family_name, email, etc) are mapping correctly.

Check out this thread: Ignition 8.0.2, May 7th Identity Provider - User Mapping Attributes - Roles property does not get mapped to IdP Response value

Confirmed - direct mapping http://custom.url.here/roles does not work, but ["https://custom.url.here/roles"] does work. The JsonPath library used under the hood needs this syntax when matching against something that looks like a URL. This effectively tells the mapper to “just match the text” and not try to find a subpath.

Thanks.

2 Likes

#3 answered. Anyone have any ideas for #1 and #2?

No, though this idea has been submitted and looks pretty popular. If that idea captures what you are asking, consider upvoting the idea.

Not at this time. We are currently exploring how best to enable this capability.

I see I already have given my vote. :slight_smile:

eric3 sent me this by email, I would like to share it:
“Regarding the authentication… The ALB (Amazon load balancer) does a great job at authentication and making the session available to the application. I considered this when we were discussing this early on, however I ruled it out because you don’t have any control over the Ignition server. You would need to get Ignition to “trust” the ALB session information, and Ignition doesn’t have any kind of option for that. You need more granular control over who has access to what (RBAC == Role Based Access Control) and Ignition has no support for externally-enforced RBAC.”

This seems unrelated to your original questions, but it seems like the email you shared expresses a goal of getting Ignition to establish an authenticated session based on trust in a load balancer in front of it (perhaps through some magic headers or something of the sort). While I do not believe this is possible, Ignition can trust an external IdP. Can the ALB act as a SAML or OIDC IdP for Ignition? Or might there be an IdP service / software out there which can trust ALB session information? If either of these two options are possible, you could indirectly accomplish your goal (or eric3's goal, if I understand it correctly).

Hi, did you (or anyone) figure out how to get roles from auth0?

roles

1 Like

Thank you! really appreciate it.