That's great to hear! Thanks for the feedback.
Regarding your two outstanding challenges:
- How to update SAML metadata on each of 100’s of gateways
We have a ticket in our system which aims to solve this problem the following way: first you enter your IdP metadata URL as a stored setting in the SAML IdP config in Ignition. Then, at the time of authenticating the user, Ignition will check if it has a key or certificate to verify the saml response signature, and if it doesn't, it will make a request to the IdP using the metadata URL to load the latest keys / certs, and only then if the appropriate key / cert cannot be found, the auth request will fail. This is sorta how OIDC IdPs work when you have the "Use JWKS URI" setting enabled. Think of it as the Gateway automatically reloading the latest trusted keys / certs from the IdP.
This solution does require that each Gateway can communicate with the IdP, though. Does this solution sound like a good fit for your situation?
- How to do SSL cert change over on each gateway when SAML has SSL dependency
I do not understand this. In what way does SAML have an SSL dependency? When you say SSL, are you talking about the SSL certificate that is installed on the Gateway's web server?
Edit: I just read your post here: SSL Cert Switch Over Best Practices
So I am assuming that the dependency of SAML on the SSL cert simply means that your ACS URL needs to be https:// as per your IdP's requirements, and if SSL is not installed on the Gateway at any given point in time, the Gateway will have an http:// URL, which will not match the SAML ACS https:// URL, and so SSO will fail when trying to login using the SAML IdP over plain http. Please confirm my understanding.