Remote IDP through GW network

Anyone know if there are plans to expose a IDP to other GW as a remote provider. Would somethin like that be even possible?

There are no concrete plans that I am aware of for exposing an IdP configured locally on Gateway A as an IdP configured remotely on Gateway B (assuming I understood what you meant).

Could you give some more information about your use case and what problem you are trying to solve?

Specifically for companies that place their plant gateways in segmented networks that are not internet facing. Providing remote services like this through the GW network. Becomes easier for IT groups to manage. Less hole to poke through firewalls.

Just to be clear: you are talking about exposing the internal IdP built into Ignition to other remote Gateways on the Gateway Network, right? (not external OIDC/SAML IdPs)

No

One ignition GW with IdP using OIDC or SAML. Other GW’s use GW network to use that as IDP

If all you are trying to do is avoid poking more holes in the firewall than is necessary, you could use a SAML IdP. Each of the Gateways in the Gateway network would have to be configured with this SAML IdP and the SAML IdP would have to be configured to allow redirects back to any of the Gateways in the Gateway Network.

For OIDC IdPs, the Gateway does require an outbound connection to the IdP’s token endpoint (and optional userinfo endpoint), so I could see the benefit of only having to expose one Gateway’s outbound connection to the IdP and having other Gateways proxy/tunnel the outbound call through the one Gateway. Though you could work around this right now by setting up a proxy server as the single outbound point to the IdP and each of the Gateways in the Gateway network could point their token/userinfo endpoints through the proxy. No matter what though, you will always need to expose at least one outbound connection from your Gateway network to the IdP for OIDC-based authentication.

Granted, the setup for what I mention above is cumbersome right now. I could see the argument for making this easier using remote IdPs or even EAM to push IdP configuration out to multiple Gateways on the Gateway Network. I’ll bring this up internally to at least start a discussion about it.

2 Likes

Glad I asked. Thanks for the response.

1 Like