IDP Role Mismatch When Using WebDev Page Inside Perspective iFrame

Ignition
, ,
1

I have created a webpage using the Ignition WebDev module and embedded it in a Perspective view using an iframe. I also implemented login and logout functionality.

image
image1653×820 30.7 KB

I have two HTML pages:

  • Dashboard
  • Checklist

The Checklist page displays plant data based on user roles defined in the Identity Provider (IDP).

Example role configuration:

  • User A → Role to access AAA plant data
  • User B → Role to access BBB plant data

These roles are configured in the IDP and mapped to users.

Application Flow:

  1. The user logs into Perspective using IDP authentication.
  2. The Dashboard page loads first.
  3. When navigating to the Checklist page and selecting a plant, a popup login page appears.

image
image816×514 14.5 KB

  1. In this popup, I enter User A’s credentials, while the Perspective session is already logged in as User B.

Problem:
When the WebDev page checks the user roles, it returns the roles for User A (entered in the popup login) instead of the roles for User B (the user authenticated in the Perspective session).

It appears that the browser-level authentication from the popup login is overriding or being used instead of the Perspective session's IDP authentication.

Question:
How can I ensure that the WebDev page uses the authenticated Perspective session user (User B) instead of the credentials entered in the popup login?

2

The issue is the use of an IFrame. IFrames are independent of, and carry no context from, the outer page. This is basic to IFrame security. (Except for keys embedded in their URL.)

3

I am using a custom login and logout page, and I manage the username, password, and roles in the database instead of using the Ignition User IDP. However, I am still getting this popup. Why is this happening?

4

WebDev doesn't hook into Perspective sessions automatically. Its sessions are independent.

Your WebDev content would need to delegate to the same IdP as Perspective using the SAML standard, with single-sign-on configured in that IdP.

I'm not sure what you mean by managing auth with your own pages, unless you've implemented a true external IdP? (Perspective has no way to script authentication outside of an assigned IdP.) You are unlike to share auth with Perspective without a shared IdP.

5

using webdev my requirement is to show data based on the logged-in user’s roles. The users log in through an Identity Provider (IDP) ,

Is it possible or not ?

6

Yes. Implement SAML auth in WebDev. (You are on your own for this part--I've never done it because Perspective does it for me.) Point it at the same IdP. :man_shrugging:

7

You might be able to retrieve the PerspectiveSessionCollection from the WebDev's session prop, and then use .getOrCreateSession() to obtain the outer session.

(Use the perspective-session attribute on the WebDev session. This is what my blob server does.)