com.inductiveautomation.ignition.gateway.auth.web.strategy.WebAuthStrategyAdapterException: RelayState is empty
at com.inductiveautomation.ignition.gateway.auth.web.strategy.saml.SAMLWebAuthStrategyAdapter.lambda$parseState$0(SAMLWebAuthStrategyAdapter.java:393)
When I test the Azure connection under Identity Providers, I get a valid saml response and I’ve mapped the user attributes (except roles).
I’ve setup SSL and HTTPS URLs work.
I’m using HTTP_POST for my SSO Service Binding
Do I need to setup a Relay State somewhere?
Version 8.1.2
Web browser: Firefox or Chrome on Windows 10
Only a single gateway
Just curious for those interested in IdP-initiated SSO support...where do you expect the user should land in Ignition when starting from an IdP-initiated login? We have an idea of how we want to build this feature, but I would like to understand what the community expects...
Thanks for the responses. One avenue we have looked at is using the Relay State parameter to drive where in Ignition the user is logged in (i.e. Gateway Web Interface vs Perspective Project). Seems like most IdPs support the concept of a default relay state which can be sent with the IdP-initiated login. Some IdPs also support adding multiple launch actions per single Service Provider (SP) where each launch action is tied to a distinct default relay state. I could imagine that users could use this to set up launch actions for multiple perspective projects.
Ok, didn't realize there could be aux info in the relay. Can such aux info simply indicate the project name? (Exposing my ignorance of the standard....)
Or perhaps, assuming the IdP can be disambiguated, look for a single project that has that specific IdP defined?
Or prioritize explicit relay state, but fall back to IdP matching?
Yes, that's what is attractive about the Relay State - in SP-initiated flows, the SP provides the IdP with the value, and after logging in, the IdP must provide the same value. This is how most SP's (including Ignition) correlate SAML requests with responses in addition to knowing where to send the user after they log in (usually back to the page they were on when they initiated the login).
In IdP-initiated flows, the standard allows for any arbitrary Relay State (it could be blank or it could be some fixed string). We could come up with a Relay State encoding to disambiguate an unsolicited SAML response (IdP-initiated) vs a solicited response (SP-initiated) in addition to other variables such as the IdP name and "Log into the Gateway Home/Status/Config Page" or "Log into Perspective Project named 'foo' and then navigate to page 'x/y/z'".
If an unsolicited SAML Response is received with a Relay State pointing to a target which is not configured to use the SAML IdP for authentication purposes (for example: maybe the target is Perspective Project named 'foo' which is configured with an OIDC IdP), then we would probably just throw an error page up.
I am experiencing a similar issue. I set up Azure identity provider SSO. I went into the ignition project and selected the identity provider there. I am using HTTPS, TSL cert, etc.
When I go to the URL perspective session it brings up the Ignition log in screen. I can click on it, it then redirects me to the azure microsoft log in. When I enter my user and pass into there it then just redirects me back to the same log in screen and never takes me to the project page I wish. It seems to be stuck in a log in loop?
Any thoughts on how or what I need to do in order for the Idp log in to take me past the log in screen and redirect me to the main project page?
I recently submitted a Ticket on this subject and have heard that the IDP initiated SSO is currently not available. I thought I should "chime" in on this thread to support/lobby for this feature on the roadmap. As we integrate more SaaS with Ignition, we find that the user experience with all the MFA today is becoming a bit of "friction" to users without having SSO.
Hope we can get this on the roadmap. You have my vote!
We're tracking this and it's starting to get requested more often. It's as "on the roadmap" as something can be right now, given that it's simply not possible we'll have time to build this until some time after 8.3 is released.
I should, perhaps, clarify that most of the SaaS services we use today have SSO capability out-of-the-box. Which allows us to login into one site once and then connect to other sites (that belong to the same federated IDP) without having to go through the entire login/MFA process again for each SaaS service.
Even among our Ignition Gateways and Designers, our engineers need to login every time they want to access an Ignition asset through the IDP. They should (ideally) only have to login once on their Desktop an then the Credentials (or Token) should automatically be passed to other session connections (Gateways/Designers) so the engineer does not have to re-login again. Does this make sense?
