I am a little lost on Security. Initially I setup user logins with nothing special. To get to my Perspective application, you had to be "authenticated" to view it. Super simple. We are now trying to set up different views based on user roles. I have not used an IdP before and found I need to map user roles. I am feeling a little lost as setup appears to be way more complicated for a newb. Any help would be appreciated. Hopefully this is not a big ask. Security in Vision was way easier.
I looked at several docs and feeling lost. Is there an example of a basic project using the default IdP in Ignition? Simple setup with mapping user roles to the IdP.
What I have started to setup...
I added security levels to match the Roles I created.
I get to the User Attribute Mapping and not sure how to proceed with that. I watched a few videos and they didn't help too much. Most examples show an external Idp like Okta. In the image below, I am not sure how to update this to link my Roles to the IdP.
Ultimately, I want to have full access for an Admin Account. For other login ins I want to restrict access to certain views or functions. Say an "Outside_Contractor" logs in, they would get a different startup view. I am also having some difficulty to get a login to change the default view. I tried using a On-Change script on the authenticated username. Was not successful. Added the script to the session prop below. I have since removed it.
Others will be able to help more as it's been a couple years since I've worked on a Perspective project and set all this up, but first, make sure you go through the IdP videos on Inductive University:
But if I recall, you don't need to create the security levels as you'll probably just be using the roles of the users. If you test a login and look at the raw data from the IdP, you'll see a section of their groups/roles and it should list them there. From there, you can add expressions to buttons and other controls using the isAuthorized function:
Thanks! I will check out the videos again. This is a new setup for me and not what I am used to.
I just found the test login on the IdP. It looks like adding the roles to the "Use Mapped Attribute" helped. They were not there before and I added them in.
When editing the User Attribute Mapping, it shows a path of 'roles'. I was thinking this needed to be 'authenticated/roles'. Looks like the "authenticated" gets stripped. And the path uses just 'roles'.
You may be using Ignition's internal identity provider, but in your head you should still view it as this diagram shows. Ignition is passing the information you login with, to the IdP, and the IdP will respond with a token that Ignition uses to determine your authentication.
I highly recommend using the "Test Login" feature of the Identity Provider by going to the Gateway Webpage > Config > IdP > More > Test Login. From here you can see what Michael pointed out, that the Security Levels exist in the IdP regardless of your defined structure in Ignition. You don't technically need to define the levels for expressions to work, etc (This becomes confusing when you are using an internal provider because all the info is technically in Ignition already).
This means that defining Security Levels in Ignition is required even for internal IdPs.
For your simple setup of an internal Ignition IdP , you should not need to setup anything beyond the Security Levels in order to select them from your security menu in the Designer (You do not need to do User Attribute Mapping typically for a simple User Source > IdP).
@kvane Updating my Security Levels looked to be what I was missing. After that I was able to edit View Permissions. Logging in as different users, I now can block access.