I don’t know whether this has been requested or discussed before, but…how about offering an option to save designer login credentials?
Can you tell us more about what the goal is here? Sounds like you’re asking to make the Designer less secure, which is scary to us, because someone with access to the Designer has access to changing quite a bit about your project and your data.
Although, if you use Active directory, it is possible to use SSO (Single Sign On) with the designer.
2 Likes
Well, simply an option/request to save the credentials after entering them at the login screen (see image), the same way many browsers do when accessing password-protected sites. Or a “remember me” checkbox. Or integration with password managers. Whatever. Having to re-enter complex credentials by hand every time is quite annoying.
Now that is a great idea. KeepassXC please. (:
1 Like
Password managers are already usable with like one extra step beyond full integration: invoke your PW manager shortcut, type in enough to get this entry to show up, then copy the password.
If you have a complex username as well I guess that’s pretty annoying.
I have no idea how integration with a password manager can be done from Java.
That was just an idea; a simple "remember credentials" checkbox would be more than enough for me. In fact I'm surprised I found no previous discussion in the forum, I would guess that other people want to be able to save their credentials.
It’s not possible to securely remember credentials, though, which is (part of) why we’ve never done it.
Where do you think they’d get saved to?
I don’t know the internals of the designer, but I guess that it’s doable, given the number of other programs that offer that option (browsers are the obvious example). If not, then well, no worries; it was just a convenience feature.
Oh, it’s easily doable, but not in a secure fashion. Your designer prefs are just saved into a json(?) file, which can easily be read by anyone with access to your environment and an idea of where to look.
1 Like
I’m just trying to explain why a feature that seems simple on the surface isn’t actually simple at all.
A password manager works by deriving an encryption key from your master password and then storing data only once it’s been encrypted using that key, and decrypting data using that key when you ask it for information.
A browser password manager, when you’re logged into an account, works the same way in principle.
A browser storing your passwords when you are not logged in may as well be storing your credentials in plaintext. They are likely obfuscated and hidden somewhere, but they are not stored securely.
At best Ignition would store your credentials in an obfuscated manner somewhere on disk, which from a security perspective may as well be plaintext because anybody who knows what they’re looking for can derive the plaintext.
1 Like
Not to argue, but if someone gets access to the machine and the password was saved (assuming the designer feature were implemented), they can just fire up the designer and find the credentials already filled in, so they’re in anyway, regardless of how they’re saved on disk.
And If one is (rightly) worried about that, they can simply choose to not save their credentials. I’m not advocating mandatory saving of credentials of course.
Yes you’re right about that.
I don’t really know why I’m arguing about this, it’s a valid request. You can make it official at https://ideas.inductiveautomation.com.
In the past people have asked for client auto-login, but this is the first I’ve heard for the designer.
1 Like
If it isn't done with a password manager, I'd like to be able to down-vote it.
No, generally not. Password managers toss their keys when the screen locks or the computer sleeps, and have to be decrypted separately from user login. Screen locking is a security best practice in general, for the same reason.
KeepassXC listens on a local port for connections from user-approved applications that can ask for the user/pwd combo for specific URLs. It is an open-source project, so its methods of securing this are inspectable. If there was an extension point for client and/or designer login, it probably wouldn't be hard to write a module that conforms to that interface.
In the future, we would like to make the Designer Identity Provider aware, which opens up many possibilities such as web browser SSO using a “Remember Me” option (where we cache your session on a token or cookie basis). We would also get password manager support for free through the browser and the potential for new open standards such as webauthn.
No, of course, I was talking about the "simple" case (no password manager integration).