[FEATURE-1402] Perspective "autologin" IdP

We are using Office365 as our IdP. We have multiple projects, but always get the Sign In screen when navigating to the Perspective project. 95% of the time the users browser is already authenticated to Office365 and clicking sign in, just completes the auth and loads the Perspective Project.

Is their a way to have Ignition automatically attempt the sign in attempt and bypass this screen? It would make for a much better user experience in our environment.

image

Anyone have ideas on this? One less click to login would be nice.

@jspecht will correct me, but I believe we basically have to do this, because Perspective/Ignition isn’t holding on to the auth, so we have to ask the delegated IdP for that info. Automatically attempting a sign-on seems like a bad idea, but I don’t know enough to say for sure.

Humm interesting, I have a few other vendors where the act of just navigating to the site is considered a request for the auth. So if the auth is not present, it just requests from the IdP without asking them to explicitly authorize it.

Interesting enough, it just noticed that the sign in action just redirects to /data/perspective/login/{project} is there any “bad” in opening the project from this directly? Provided the obvious checks of the initial sign in screen will not be run?

I can understand in a public facing scenario or a site with multiple IdP options, then asking the user first would be a good idea, but in an enterprise where we shove all auth through the same IdP it seems unnecessary.

This has come up before. Unfortunately, there is no way around this “speed bump”. It is on our radar and it is something we are going to explore supporting in the future.

Do you know how are the other vendors performing the automatic login? Do they use OIDC or SAML based IdPs? When you land on the auth-protected page, is the browser immediately redirecting you to the IdP to login? Or is it doing some kind of async background call to the IdP while keeping the user on the auth-protected page in a waiting state?

You totally could link directly to /data/perspective/login/{project}, just know you are relying on the internal implementation details of how Ignition does the IdP redirects and while I do not see this changing any time soon, it could change in the future.

Both OIDC and SAML. I have a few apps that once the IdP is configured the act of navigating to the URL un-authenticated redirects to the IdP (you see the adress bar hop around) then you get auto-redirected back to the app). The behavior of almost all of our other applications (including Sharepoint / Office 365) is mostly this way. Never seen any async background stuff, it always happens in the foreground.

Very cool. I think for the most part people will still bookmark the /client but when redirecting a user from one perspective project to another its a bit more user friendly to send them to /login to make things go faster. The behavior of accessing /login is more in line with the behavior of our other apps using the same IdP.

2 Likes

I just wanted to chime in to say that our organization also uses a system that authenticates just by opening a web page, and the interstitial Ignition login button is cumbersome.

We’re deploying a system that displays information on hands-off monitors where no user interaction is available. Requiring the “Continue to Log In” button to be clicked interferes with this system.

For the time being, we’ll likely use the /data/perspective/login/{project} URL referenced above by @jspecht, but it sounds like that might not be a good long-term solution. Is there any update on adding the ability to disable this page?

We’ve created a proof-of-concept and (from that effort) a ticket was created for this feature’s implementation and is currently under review.

1 Like

Great! Thanks for the update.

Any news?

A developer is currently working on this feature’s implementation

1 Like

Is there a rough eta for the implementation?

1 Like

I see there are news regarding the IdP in 8.1.5, has this request been included?

It’s still in development.

Any ETA availible?

Any news on this topic?

Yes - this feature was merged into 8.1.8 earlier this month:

1 Like

Works very well, thanks!

1 Like