New Capability to Ask IdP to Force Re-Authentication of the User

The 5/19/2020 Nightly Release of Ignition 8.0.14 introduces the capability for Ignition to ask an Identity Provider to force re-authentication of the user (even if they have already established an authenticated session with the IdP). This new feature includes the following changes:

Designer

In the Project -> Properties menu of the designer, under Project / General, you will see a new checkbox with text “Always ask the IdP to re-authenticate users by default” (disabled by default). When enabled, unless otherwise specified by script or action triggering the login, Ignition will always ask the IdP to re-authenticate users who try to sign into the configured project IdP.

In Perspective, a new boolean argument was added to the system.perspective.login script function named forceAuth. Its description is as follows:

True if Ignition should ask the IdP to re-authenticate the user, even if the user is already signed into the IdP. False if Ignition should not ask the IdP to re-authenticate the user. If the IdP supports this option, the IdP will ask the user to re-enter their credentials, even if the user is already signed into the IdP. If omitted, the default value for this argument will fall back to the value in the Project Properties.

Also in Perspective, a new radio option was added to the Login Action configuration UI with text “Ask the IdP to re-authenticate users” with the following options:

  • Project (Default to the project’s general properties setting)
  • Enable (Enabling will ask the IdP to re-authenticate users when login is triggered from this action)
  • Disable (Disabling will not ask the IdP to re-authenticate users when login is triggered from this action)

Perspective Session Props

In Perspective, a new numeric prop named timestamp was added to session.props.auth.user which represents the timestamp of when Perspective last received an authentication response from the IdP which corresponds with the user’s current information (whether or not re-authentication was forced). The timestamp is the number of milliseconds from the epoch of 1970-01-01T00:00:00Z. This is useful in cases where someone wants to trigger a new forced authentication in Perspective after some period of time since the last forced authentication.

Ignition’s Built-in IdP

If the Ignition IdP receives a request to re-authenticate the user, the authentication UI will be displayed asking for whatever credentials are configured for the IdP (username/password, badge, or badge/password) whether or not the user already has an authenticated session.

The Ignition IdP will always add the standard OIDC claim auth_time on the ID token response going forward. In following with the OIDC spec:

the auth_time value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.

Example: 1311280969 (represents Thursday, July 21, 2011 1:42:49 PM GMT-07:00 DST). As far as the Ignition IdP goes, this timestamp corresponds with the last time the user successfully verified their credentials. That means that if the user successfully entered username/password at time t0, and they authenticate into a Perspective project some time later at t1 without forcing re-authentication, the auth_time value will correspond with t0 (not t1). If Perspective asks the IdP to re-authenticate the user, the auth_time value would correspond with t1 (since the user re-entered their credentials at t1).

The Ignition IdP will always add the non-standard claim challenged which will be set to true if the user was challenged to re-validate their credentials in order to generate the current ID token response, false if they were not challenged to re-validate their credentials.

Technical Details

For each type of third-party IdP, this is how Ignition asks the IdP to re-authenticate the user under the hood:

OpenID Connect 1.0

Ignition sets the prompt request parameter to value login and the max_age parameter to value 1. According to the OpenID Connect spec, if prompt=login:

The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically login_required.

According to the spec on max_age:

Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User.

SAML 2.0

Ignition sets the ForceAuthn attribute on the AuthnRequest XML element to a value of true. According to the spec, ForceAuthn is:

a Boolean value. If “true”, the identity provider MUST authenticate the presenter directly rather than rely on a previous security context. If a value is not provided, the default is “false”.

Important Note

Just because Ignition asks the IdP to re-authenticate the user does not guarantee that the IdP will re-authenticate the user. For example, some IdPs may not support the this feature or may not abide by the open standards. It is a good idea to add a Security Level which is granted only if the IdP actually re-authenticated the user. Consult your IdP vendor’s documentation regarding how Ignition can verify that the IdP actually re-authenticated the user. For Ignition’s IdP, you may create a security level rule which checks if the auth_time is within an allowable threshold or that the challenged claim is true.

We hope this feature will add value for those of you who need to periodically re-authenticate users after some stale period of time. If you have any questions or find an issue with this new feature, let us know!

4 Likes