Ignition Security - No Identity Provider Failover

It appears there is no way to specify a failover source when using an Identity Provider. What options do we have if a remote gateway loses connection to a central IDP?

We have a Keycloak IDP configured and working with SSO in a Hub/Spoke gateway architecture. However, we would still like to be able login (internal user source is fine) on the Spoke gateways when the IDP is not available (hard failover).

What type of IdP are you working with? Each IdP type has its own peculiarities.

OIDC requires that the Gateway is able to establish a connection with the OIDC IdP server’s token endpoint (and optional userinfo endpoint). These are https endpoints, and so multiple layers of fault tolerance may be applied. For example: you could set up a farm of multiple OIDC IdP servers and add an http load balancer which automatically fails over to the next IdP if the original target goes down. You could also set up a farm of load balancers which each have their own IP, and configure your DNS to map your IdP server’s name to each of the IPs. In this case, if one of the load balancers goes offline, the next one should be tried.

SAML does not require the gateway to connect to the IdP at all.

With both protocols mentioned above, the end user’s web browser must be able to reach the IdP server’s authentication pages in order for the user to log themselves in (proving their identity). The same fault-tolerant techniques mentioned for the OIDC token endpoint could be applied for the IdP’s user-facing authentication endpoints as well to reduce the chances of a connection failure.

At this point in time there is no concept of a failover IdP like their is for a user source profile. IdPs and user sources are fundamentally different models and I’d argue that some of the fault-tolerance responsibility lies with the IdP itself since there really is no way Ignition can detect an issue once the user navigates away to the IdP. That’s not to say that there may be an opportunity for Ignition to allow the user to choose from more than one IdP, but it would be up to the user to navigate back to Ignition when the primary IdP is not reachable or is failing for some reason, and then they can select the secondary IdP for authentication instead (which might be an internal IdP).

1 Like

Is it possible to use Azure SSO and failover to a user source? Example: a firewall rule change or outage breaks connection to Azure, can login failover to the local ignition default user source?

hi @wdougmiller @jspecht

One year later, here I am with a very similar requirement :joy:.

We are using Azure SSO SAML for our IDP. So far working ok, but there are times when we have no internet, which locks users out of the gateway. This is beyond our control. In these situation, we would like the operators to be able to still log in via traditional user source.

Is there a way to achieve this?

PS: I'm aware that ignition can't detect issues with an external IDP, but we are thinking more of having a choice for the user to log on either with IDP or traditional user source, so they themselves can make the call when the internet is down.


I am in almost the exact same situation, Azure SSO SAML and hoping for some form of a failover source.

i feel like i am missing something really basic. even if they cant detect issues with the external idp, it would still time out. i would be fine failing over after a timeout.