Selecting a 3rd Party IdP for MFA

Our project requires MFA, so I am in the process of setting up a 3rd party IdP. Since our cloud gateway is already running on AWS, I tried to use Amazon Cognito but ran into issues logging users out because it does not return the state param. This has been a known issue for quite some time but I have not seen recent activity around it. [Forum Post].

I am now configuring Auth0, but the cost seems to be significant as our project scales.

I am curious if others have either 1.) found a way to make Cognito work or 2.) if you recommend a different provider that works well for your project.

The only thing I require is Authentication with MFA that can then map to user roles and security levels I have configured in our Ignition project to manage authorization. I'd also like to be able to integrate data from the IdP into a SIEM eventually.

Thanks in advance!

Sean, you say you have ran into issues logging users out, but I have been able to log users out successfully using Cognito. Do you not get the prompt below after logging out?

For Auth0, they have a free tier. Does it not include MFA? Are you exceeding the monthly user count? There's lots of other IdP providers and I would just start searching for one meeting your requirements and just price them out. I've played with self-hosting some and there's definitely some that are easier to use than others, but that's always an option for an entirely free but self-supported option.

When I log out I get an Invalid Request error. My complete URL is below, as well as screenshot. Could I have set something up incorrectly when configuring? I've gone through the docs and my settings mutliple times at this stage.

https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/login?client_id=45j95lura301s0bsv3mid26voo&identity_provider_logout=true&logout_uri=https://oenmg4k4m4.execute-api.us-west-2.amazonaws.com/finalize?redirect_uri%3Dhttp%253A//localhost%253A8088/data/federate/callback/oidc%26state%3DeyJraWQiOiJrMSIsImFsZyI6IkhTMjU2In0.eyJqdGkiOiJpUkFfTWNNQ3REdWtzZ3c4ZUQwbWJwWTZWOXNvcWVxeEliVTJZd0l1MmJvIiwidXJpIjoiL3dlYi9jb25maWcvc2VjdXJpdHkuaWRwX2FkYXB0ZXJzIn0.zelHpToNAZv5sNMimM5w5sRJTLDwsNLn3V3YGruNAco

On the Ignition Gateway->Config->Identity Providers->Your IdP Settings, you will find a section called Provider Configuration/Logout URL. Here, your URL should look like this:

https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/logout?client_id=45j95lura301s0bsv3mid26voo&logout_uri=https://localhost:8088/data/perspective/client/YourProject

Notice the /logout? reference and the logout_uri path to your project

Then, be sure the URL to your project is listed in the "Allowed sign-out URLs - optional" section in Cognito. That's it...Ignition will invalidate the session by sending you to the logout URL and Cognito returning the call back to Ignition. You won't see the long URL you pasted in the browser when it all works correctly.

When I try this using a test logout on my project the logout link seems to log me out of the session, but it immediately redirects to the login url with incorrect parameters and gets a 400 error. I do see that the first logout? url it generates does contain the state param, so that is progress! I'll include both URLs below. Thank you for your help!

https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/logout?client_id=45j95lura301s0bsv3mid26voo&logout_uri=https%3A%2F%2Fscada.nlineenergy.com%2Fdata%2Fperspective%2Fclient%2Fnline-cloud-scada&id_token_hint=eyJraWQiOiI1T0pHdzFoT2ZWMkVLYmdkMEpMMzlSR25pMHJPUGxSYWVcLzcwcWNIZStoST0iLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiWVhqXzRaSlN0VzNBX2hHSnl5QzJ3QSIsInN1YiI6Ijg4NjE4MzQwLTUwYTEtNzA4ZC1kNzAxLWI0YzBiNWMzZDFlMiIsImNvZ25pdG86Z3JvdXBzIjpbIkRldmVsb3BlciJdLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtd2VzdC0yLmFtYXpvbmF3cy5jb21cL3VzLXdlc3QtMl9NcGptNkJBNHMiLCJjb2duaXRvOnVzZXJuYW1lIjoiZGV2Iiwibm9uY2UiOiJNdVltRTNoVDVxR2w2Y3J4OGVUYWRxODVGYzdSTXAtYTZIV1JZRVNGQUZFIiwib3JpZ2luX2p0aSI6IjczYzk4ZDI0LTFjNDEtNDE2YS1iZDM4LTBjYmI4ZDM2N2Q1YiIsImF1ZCI6IjQ1ajk1bHVyYTMwMXMwYnN2M21pZDI2dm9vIiwiZXZlbnRfaWQiOiI0NDYyZTcxMy02Y2EzLTQ1OGQtYjlhYy1hMjQyOTg3ZGNhN2MiLCJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTc0OTIyMTMwOSwiZXhwIjoxNzQ5MjI0OTA5LCJpYXQiOjE3NDkyMjEzMDksImp0aSI6ImE0MzllNWNkLWY5ODctNDE2YS04ZmQ5LWQyYzg5YmVkMzY4ZCIsImVtYWlsIjoic2Vhbi5nbGFudHpAZ21haWwuY29tIn0.XusSMFwwapkv8nrb63I1OrIybv8C2m3UUMs0aPgL1K0O0Ob4M8QEe7002RzGM1lD522kjKtplpgcjCKogo1K8QMplWYb8w8-o9-9y9W2oBbFnZoe3C--OXY49R2_lrJSNUEYF_TTaU8Iga0DVDxksIgWvBz7jMjkSCF6p2oYYwLP_8dEvu_jrSbyK3JN0N321oC4THXJfy4LyflWVQMxSMuvLnClyV0Z9ATydsA3zaiRoPESFiJr5y5pyDsP9vdwwSEDUdXOGAgz8IKfu6J6xXgHfywPbUz_G8m3NQ-6BjNo69KstBj3n6fklAsCKhlmfiaAg2HeIsMSuP1AYx4txQ&post_logout_redirect_uri=https%3A%2F%2Fscada.nlineenergy.com%2Fdata%2Ffederate%2Fcallback%2Foidc&state=eyJraWQiOiJrMSIsImFsZyI6IkhTMjU2In0.eyJqdGkiOiJueW9GenBaenZvZm8zSzgxQmF4YTZZTExhRnBVdkNOMTZjS3hqUHBSOVY4IiwidXJpIjoiL3dlYi9jb25maWcvc2VjdXJpdHkuaWRwX2FkYXB0ZXJzIn0.2Wys4K8jnQ85ublStfJapjktHlG9JE3jgCOgII5MKq8


https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/login?client_id=45j95lura301s0bsv3mid26voo&id_token_hint=eyJraWQiOiI1T0pHdzFoT2ZWMkVLYmdkMEpMMzlSR25pMHJPUGxSYWVcLzcwcWNIZStoST0iLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiWVhqXzRaSlN0VzNBX2hHSnl5QzJ3QSIsInN1YiI6Ijg4NjE4MzQwLTUwYTEtNzA4ZC1kNzAxLWI0YzBiNWMzZDFlMiIsImNvZ25pdG86Z3JvdXBzIjpbIkRldmVsb3BlciJdLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtd2VzdC0yLmFtYXpvbmF3cy5jb21cL3VzLXdlc3QtMl9NcGptNkJBNHMiLCJjb2duaXRvOnVzZXJuYW1lIjoiZGV2Iiwibm9uY2UiOiJNdVltRTNoVDVxR2w2Y3J4OGVUYWRxODVGYzdSTXAtYTZIV1JZRVNGQUZFIiwib3JpZ2luX2p0aSI6IjczYzk4ZDI0LTFjNDEtNDE2YS1iZDM4LTBjYmI4ZDM2N2Q1YiIsImF1ZCI6IjQ1ajk1bHVyYTMwMXMwYnN2M21pZDI2dm9vIiwiZXZlbnRfaWQiOiI0NDYyZTcxMy02Y2EzLTQ1OGQtYjlhYy1hMjQyOTg3ZGNhN2MiLCJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTc0OTIyMTMwOSwiZXhwIjoxNzQ5MjI0OTA5LCJpYXQiOjE3NDkyMjEzMDksImp0aSI6ImE0MzllNWNkLWY5ODctNDE2YS04ZmQ5LWQyYzg5YmVkMzY4ZCIsImVtYWlsIjoic2Vhbi5nbGFudHpAZ21haWwuY29tIn0.XusSMFwwapkv8nrb63I1OrIybv8C2m3UUMs0aPgL1K0O0Ob4M8QEe7002RzGM1lD522kjKtplpgcjCKogo1K8QMplWYb8w8-o9-9y9W2oBbFnZoe3C--OXY49R2_lrJSNUEYF_TTaU8Iga0DVDxksIgWvBz7jMjkSCF6p2oYYwLP_8dEvu_jrSbyK3JN0N321oC4THXJfy4LyflWVQMxSMuvLnClyV0Z9ATydsA3zaiRoPESFiJr5y5pyDsP9vdwwSEDUdXOGAgz8IKfu6J6xXgHfywPbUz_G8m3NQ-6BjNo69KstBj3n6fklAsCKhlmfiaAg2HeIsMSuP1AYx4txQ&logout_uri=https://scada.nlineenergy.com/data/perspective/client/nline-cloud-scada&post_logout_redirect_uri=https://scada.nlineenergy.com/data/federate/callback/oidc&state=eyJraWQiOiJrMSIsImFsZyI6IkhTMjU2In0.eyJqdGkiOiJueW9GenBaenZvZm8zSzgxQmF4YTZZTExhRnBVdkNOMTZjS3hqUHBSOVY4IiwidXJpIjoiL3dlYi9jb25maWcvc2VjdXJpdHkuaWRwX2FkYXB0ZXJzIn0.2Wys4K8jnQ85ublStfJapjktHlG9JE3jgCOgII5MKq8

I've also tried with the logout uri being the same as the redirect uri and also omitting it entirely. Similar issues, it keeps redirecting to a login page when it gets the additional params it is not expecting.

Here are the logout urls I've tried to no avail

https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/logout

https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/logout?client_id=45j95lura301s0bsv3mid26voo

https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/logout?client_id=45j95lura301s0bsv3mid26voo&logout_uri=https://scada.nlineenergy.com/data/perspective/client/nline-cloud-scada

The last link you posted looks like it is in the correct format, but without knowing where you are entering this in (and the countless other settings that need to be in place on both Ignition and Cognito), it is hard to know what is going on.

Out of curiosity, the starting part of the URL....us-west-2mpj...etc. That seems to indicate you haven't created a Cognito Domain. If/when you create a domain, you get a more personalized url say....nlineenergy.auth.us-west-2.amazoncognito.com. This missing domain might be a reason it isn't working...not sure, just comparing between what I have vs. what you have.

I am using the domain that was generated by cognito, hence the us-west-2mpj... I did not create a custom domain for this project. I assume that since I am able to complete the login that this domain is working, but it certainly could be the case.

I went ahead and created a tenant with Auth0 and this seems to be working as expected and we'll be able to run our project under the free plan for the forseeable future. I may come back to revisit switching back over to Cognito in the future if and when time allows.

I really appreciate your help on this! I understand with all the settings that need to be configured it is hard to diagnose and troubleshoot over a discussion board. Thanks for taking the time to help me work on this and explaining the steps very clearly!