I have an ‘OpenID Connect 1.0’ as identity provider configured properly getting user credentials from the company’s Microsoft Entra ID. The intention with that is just to get the username, first/last name, and email, but not SCADA roles. It works fine for gateway security, but when I try to use it for projects (only tried perspective), it seems like it completely ignores the UserSource (internal or DB) and gets all user info from IdP only, which doesn’t come with roles… Is that by design and I’m misunderstanding the architecture? Or am I just missing some configuration that would correlate IdP and UserSource to pick up roles?
One thing I noticed that would be different anyways is the user id, since the IdP gives a string UID as opposed to the default numeric id from a user source.
Perspective only uses user sources when using the internal Ignition IdP, which delegates to a user source. If you use an external IdP, there's no connection to user sources at all.
Ideally, you would work with your identity provider to provide the UserInfo via a custom (or existing) scope, then map the User Attributes accordingly.
If you must utilize an existing User Source... Hmmm ..
I believe you could utilize a runScript() expression within your OIDC provider (User Attribute Mapping @ Roles) to link the idp to your user source and thereby return roles from the idp at login. Something like the following might work if your sub claim matches a user in your user source:
Speculating that any user source which needs to initiate a follow-up & external request (LDAP, etc.) could cause some problems.
Unsure what negative impacts this would have on the login process...someone more equipped will need to chime in.
Great workaround. I couldn’t make it work at first, I couldn’t find the right syntax/keywords since my user source is based on email… anyways, this worked for me: