Weekly Changelog: 8.1.24-b20221128
Security
6581: Step 1: IdP Auth Token Implementation
Designer and Vision Client instances authenticated with an IdP would have to be completely restarted when a session was lost due to a temporary communications loss with the Gateway. Now, after logging into the IdP, a special auth token is generated with the session on the Gateway and is saved in the Designer and Vision Client instance memory after authenticating with an IdP. When a connection is lost and later recovered, Designers and Vision Client instances may securely resume their sessions without having to completely restart themselves by passing the Gateway a valid auth token. This should reduce the frequency of the Designer / Vision Client restart pain point.
Two settings control the lifecycle of an auth token:
- Inactivity Timeout: The number of minutes which must elapse before expiring a user's auth token due to inactivity caused by a disconnected session. Must be greater than zero. Default: 10 minutes.
- Time-To-Live (TTL): The maximum number of minutes a user's auth token may exist before it expires. If set to any number less than or equal to zero, auth tokens may live forever, as long as the auth token has not expired due to inactivity. Default: 0 minutes (does not expire).
For designer auth tokens, these settings live in Gateway Web Interface > Config > Security > General.
For vision client auth tokens, these settings live in Designer > Project Menu > Properties > Vision > Login.
These settings do not apply to the Classic Authentication Strategy, since the Classic Authentication Strategy does not have this issue.
When redundancy is enabled, Vision Client auth tokens are synchronized from the Master to the Backup so that IdP-authenticated Vision Client sessions may be resumed seamlessly and securely during failover by using an auth token.