Ignition Edge
Hi @jspecht,
In Ignition Edge, is it possible to configure a user source fallback (Igntion default user source) if we use an Identity Providers (openID1 or SAML2).
It's possible with an AD with Failover Source, but I don't find any settings if we use an IDP ?
Edge panel is mainly used when central Ignition and the IDP are not reachable due to network outage.if we use an IDP how to connect in Ignition Edge in that case ?
IdPs do not support the concept of "failover" in the same way as User Sources.
If your IdP is an Internal Ignition IdP, then it uses a User Source to log in. This user source could have a failover configured.
the drawback is that user/paswword are not sync with the central gateway in that case.
So if we wish to use the same "user source" at edge and at Ignition central, when edge is isolated from the network and can't reach the IdP, user can't connect anymore at edge ?
It seems we can only use an AD user source for that use case ?
There is no option to have a local cache at edge to be able to connect when the external IdP is not reachable ?
(Edge panel edition with Perspective)
If you aren't using a local IdP with Edge, you are screwing up. The Edge fallback needs to cover the purely local operations at that workstation. You simply cannot rely on a unified authentication system.
The only IdP that Ignition could cache is its own. Which is moot if on the same gateway as Edge itself. All other IdPs are external. Any caching would have to be handled at the one URL configured as the IdP.
I agree that a local IdP or some cache must be available at edge.
Edge Panel main use case is when edge device is isolated from the network.
But with several edge site and local Ignition Idp, we have to create "local" user on each site, with permanent password.
It' means "generic" user with password without expiration 
It will be tedious to connect on each edge site to change regularly the password...
perhaps an EAM tack to sync Ignition local IdP data from the central gateway to igntion edge sites could be a solution ?
Use system.util.sendRequest() from a central gateway to invoke a password change operation on target Edge device's user source.
Or configure the permanent local user to only have the bare minimum privileges to operate the machine. Anything else can wait for network restoration.
I don't see a way to change the password with script
See system.user.*. You retrieve the user with .getUser(), alter the user object by setting the password property, then call .editUser() to save the modification(s).
user.get("Password") always return None.
user.getProperties() return [badge, schedule, firstname, notes, language, username, lastname]
I think user password is not avaible with script.
I would not expect password to ever be readable. Try this:
from com.inductiveautomation.ignition.common.user import User
aUser = system.user.getUser('SomeName', 'SomeSource')
aUser.set(User.Password, "someNewPassword")
response = system.user.editUser('SomeSource', aUser)
Yes that works from gateway scope !
I suppose as the user object is serializable it can be sent in the payload of system.util.sendRequest() and transport all information (roles and password included)
to update the user in the "remote" Ignition default user source
if it works we can sync user (with all informations) between the central gateway and the edge site gateway.
I hope that will be still available in 8.3 with new secret management
Don't send the user object in your message between gateways. Just send the user name and new password in the message payload and have the target gateway do the work. Return success or failure so your central script can cross that edge node off of its list of nodes that need rotated passwords.
Is it an option to use Security Zones (especially, a localhost zone) whereby a user is not required to login in order to perform basic operations if operating locally? One mentality is that a bad actor - on-location - can cause plenty of damage outside of the capability of the touchscreen. Any elevated operations would still require login. Arguably, anything mission critical should not require elevated permissions.
I was thinking to sync all users from the central gateway to the edge every day.
The user will mainly connect on the central gateway and change the password here.
Yes, but send that to every system, not the user object. (I doubt it can be sent.)