How to mitigate AD+SSO vulnerability?

We recently upgraded one of our Gateways to 8.1.17, and successfully re-enabled SSO for our clients, but I was wondering if there is a possibility to be “safe” while using SSO.

SSO can be enabled for the Clients and for the Designer, but the article does not talk specifically about which is vulnerable.

So here I ask.

  1. Are both vulnerable?
  2. Is one “worse” than the other?
  3. Are we “safe” if only SSO for the Designer is disabled?
  4. How can I get a detailed description in order to reproduce within my organization?

Thanks!

Sorry to hijack your thread. But I am having issues re-enabling SSO and it seems that you got it going. I have added the line to the java additional parameters and restarted the service. But I still can’t enable SSO under the AD user source config. Is there something else I need to do?

Thanks.

No worries.

If you were following the instructions from the article, one thing that can be missed is that you’d need to replace the X from wrapper.java.additional.X=-Dignition.enableInsecureAdSso=true to a number as explained here.

E.g. ignition.conf lines 69-73:

# Java Additional Parameters
wrapper.java.additional.1=-Ddata.dir=data
#wrapper.java.additional.2=-Xdebug
#wrapper.java.additional.3=-Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=*:8000
wrapper.java.additional.4=-Dignition.enableInsecureAdSso=true
1 Like

I added this Line and I am still not able to login automatically.

I enabled SSO enabled checkbox in project as well.
Is there a way to confirm that SSO is enabled or not?

Thanks

Did you restart the gateway after this step?

Hello zacht, yes I did.

Can you copy and paste the contents of ignition.conf? I don't think it contains any sensitive information.

Also, make sure you have checked SSO Enabled and properly configured the SSO Domain on your User Source.

No answer yet for the OP?

I'll take a stab.

  1. yes
  2. no
  3. no
  4. publicly available details are at https://support.inductiveautomation.com/hc/en-us/articles/5979279808397-Active-Directory-SSO-Disabled-for-8-1-17-7-9-20-
1 Like

Hi,
is there any planned fix for this in a future release ?
Being able to use SSO would be a great benefit but not while the risk persists...

It's a Microsoft problem, not an Ignition problem. Ignition turned it off by default because Microsoft hasn't fixed the problem. (Possibly not fixable. Convenience is often not compatible with security.) You should bug Microsoft.