[FEATURE-2155] SAML IDP Entity ID Setting

@jspecht is there a way we can manually specify IDP entity ID?

Now this is automatically picked up as the gateway DNS but in order to manage a large number of instances from one single IDP federation, we need to be able to use the same entity ID for each of our ignition instances.

Thanks,

Nick

There is not a way to manually specify Ignition’s SP Entity ID, which is what I believe you are asking?

You are not the first person to ask, and we have a ticket in our backlog to address this.

Correct. Thanks for verifying.

For now we will continue to get a new federation connection per Ignition VM but this will add up and become cumbersome to manage quite rapidly because we will be greatly expanding the # of instances of Ignition.

When it is released how can we be notified of it? We will have a backlog of work then to go update all the existing instances in production.

Thanks,

Nick

I’ve linked our internal ticket to this forum thread so that when it is released, someone should reply back to this thread with the news. You can also keep an eye out for the nightly build thread referencing ticket 2155

To give some nuance what needs to be parameterizable is the saml:Issuer attribute in the SAML request.

Decoding the SAML request and pretty-printing the XML we see every gateway sends its own hostname as the identifier.

If we could set this attribute using a single identifier, it greatly simplifies certificate managnement required for the army of gateways.

Thanks for the information. Ticket 2155 that I have referenced will solve this problem by exposing a new SP Entity ID setting in the SAML IdP config. By default, it will be in “auto” mode (which behaves as it does right now, using the incoming request’s Gateway URL as the SP Entity ID), but you will be able to disable the auto mode and specify your own hard-coded SP Entity ID to use instead. This is what is used as the Issuer in SAML request XML documents originating from the Gateway.

1 Like

@jspecht @jsorlie it seems that our internal organization SAML IDP provider would begin disallowing us to have 1 IDP per each gateway. They want us to use one single IDP connection for all Ignition applications. We cannot do this until feature 2155 is released. We have been in contact with @Travis.Cox and he has let us know it has been prioritized.

We really need this soon, at present we have 32 SAML IDP connections.

Thanks,

Nick

Hi @nicholas.robinson -

The ticket is currently being implemented by a developer. We’ll reply back once it has been merged into the early access build.

@jspecht @Travis.Cox we really need IA to release this feature. We know you have told us it is being worked on but today we were told internally that we have to update all of our SAML certs. At present this means doing it manually on 59 gateways.

If we had feature 2155 we’d only have to update 1 cert. Please help us prioritize getting this feature released.

Thanks,

Nick

This feature was merged in earlier today and will be a part of tomorrow’s early access build.

Here are a couple of screenshots of the new configuration mockups:

As you can see: there is a new “SP Entity ID” setting which has checkbox “Automatically generate the SP Entity ID based on the hostname that the client uses to connect to this Gateway” checked by default for backwards-compatibility. The checkbox can be unchecked, at which point the text input below may be used to populate whatever static string you want to use for Ignition’s SP Entity ID.

What was previously the “Entity ID” setting is now renamed to the “IdP Entity ID” setting.

We also offer the capability to configure a completely separate set of config settings for the backup Gateway, which may be required in certain cases, though by default, the checkbox for “Use the same Provider Metadata Configuration for Redundant Backup” is checked, meaning the backup and master Gateways will use the same settings (which is how it has always worked).

These changes apply to the OIDC and SAML IdP types. They do not apply to the Internal Ignition IdP type, since redundancy is handled internally by this IdP type.

Let us know how this works out for you!