Asking a question regarding logging into a perspective client with multiple identity providers. The perspective client's default idP is 'AzureAD'
When typing in a username and password during login, if a user with those credentials isn't found in 'AzureAD', is it possible to have it then check for a user in default with those credentials?
You would configure AzureAD to have a soft failover to the default provider. (Not in project properties, but in the user source configuration in the gateway.)
From what I know that's possible when dealing with user sources, but is that also still possible with identity providers?
Is AzureAD an Ignition native Identity Provider? If so, it points at a user source, and that user source's failover option would apply. If not, then you have no failover options within Ignition at all. That would have to be setup in your external Identity Provider.
Got it, had a feeling that was the case, but thank you for the answer!
To my knowledge, Ignition doesn’t offer native multi-factor authentication (MFA). You only get MFA by using an external identity provider that supports it (Okta, Azure AD, Duo, etc.). However, if the internet goes down, the cloud IdP is unreachable, and no one can log in.
Why can't Ignition failover to the default identity source in these cases?
The only solution I see is implementing an on-prem IdP (like Keycloak) that you can sign-in via cloud sources with MFA (Okta, Azure AD, DUO, etc.) or a local user store, thus meeting the security and availability requirements. Although this should meet all the requirements, it increases complexity and would be a whole lot simpler if this was implemented in Ignition.
Failover only works with user sources, not Identity Providers. The protocols used with identity providers have no way to handle IdP failure. It is not something Ignition can solve--only a better IdP protocol can solve this.
