I am setting up access control for two projects I have on my gateway.
Each project is for a specific user group but I would also like the Designers/Integrators (default User source) to have access to the projects.
So I have set up these user sources
UsersForProject1
UsersForProject2
default
All users will be internal. Do I need to set up Identity Providers for each user source or can they all use the default Identity Provider? I imagine that a soft failover would be the way to go so that the default user source has access to all projects, but can I do that without creating Identity Providers for each user source?
I changed the Project Properties to use the respective User Source, “UsersForProject”, but I am unable to log into the gateway or the project session.
Am I on the right track or is there another way to do this?
AFAIK, IdPs to Usersources is a 1:1 ratio. For every usersource you want to use, you must have an IdP for it. Then the same with the project. You can only assign it one IdP.
Go to $/web/config/security.General?12 (Config → Security → General) to configure the designer's auth strategy. By default, it will use the default user source and allow you to access all projects in the designer.
This is not. A user source can have soft failover to another user source (which can then soft fail to another). The IdP pointing at the first in the chain will neither know nor care.
You should make user sources and identity providers for each project. Those user sources should soft fail to the default. (Not to each other.)
Note that there is no such thing as failover in the Identity Provider standards. This behavior is only available with Ignition's internal IdP.