Selecting a 3rd Party IdP for MFA

Our project requires MFA, so I am in the process of setting up a 3rd party IdP. Since our cloud gateway is already running on AWS, I tried to use Amazon Cognito but ran into issues logging users out because it does not return the state param. This has been a known issue for quite some time but I have not seen recent activity around it. [Forum Post].

I am now configuring Auth0, but the cost seems to be significant as our project scales.

I am curious if others have either 1.) found a way to make Cognito work or 2.) if you recommend a different provider that works well for your project.

The only thing I require is Authentication with MFA that can then map to user roles and security levels I have configured in our Ignition project to manage authorization. I'd also like to be able to integrate data from the IdP into a SIEM eventually.

Thanks in advance!

Sean, you say you have ran into issues logging users out, but I have been able to log users out successfully using Cognito. Do you not get the prompt below after logging out?

For Auth0, they have a free tier. Does it not include MFA? Are you exceeding the monthly user count? There's lots of other IdP providers and I would just start searching for one meeting your requirements and just price them out. I've played with self-hosting some and there's definitely some that are easier to use than others, but that's always an option for an entirely free but self-supported option.

When I log out I get an Invalid Request error. My complete URL is below, as well as screenshot. Could I have set something up incorrectly when configuring? I've gone through the docs and my settings mutliple times at this stage.

https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/login?client_id=45j95lura301s0bsv3mid26voo&identity_provider_logout=true&logout_uri=https://oenmg4k4m4.execute-api.us-west-2.amazonaws.com/finalize?redirect_uri%3Dhttp%253A//localhost%253A8088/data/federate/callback/oidc%26state%3DeyJraWQiOiJrMSIsImFsZyI6IkhTMjU2In0.eyJqdGkiOiJpUkFfTWNNQ3REdWtzZ3c4ZUQwbWJwWTZWOXNvcWVxeEliVTJZd0l1MmJvIiwidXJpIjoiL3dlYi9jb25maWcvc2VjdXJpdHkuaWRwX2FkYXB0ZXJzIn0.zelHpToNAZv5sNMimM5w5sRJTLDwsNLn3V3YGruNAco

On the Ignition Gateway->Config->Identity Providers->Your IdP Settings, you will find a section called Provider Configuration/Logout URL. Here, your URL should look like this:

https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/logout?client_id=45j95lura301s0bsv3mid26voo&logout_uri=https://localhost:8088/data/perspective/client/YourProject

Notice the /logout? reference and the logout_uri path to your project

Then, be sure the URL to your project is listed in the "Allowed sign-out URLs - optional" section in Cognito. That's it...Ignition will invalidate the session by sending you to the logout URL and Cognito returning the call back to Ignition. You won't see the long URL you pasted in the browser when it all works correctly.

When I try this using a test logout on my project the logout link seems to log me out of the session, but it immediately redirects to the login url with incorrect parameters and gets a 400 error. I do see that the first logout? url it generates does contain the state param, so that is progress! I'll include both URLs below. Thank you for your help!

https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/logout?client_id=45j95lura301s0bsv3mid26voo&logout_uri=https%3A%2F%2Fscada.nlineenergy.com%2Fdata%2Fperspective%2Fclient%2Fnline-cloud-scada&id_token_hint=eyJraWQiOiI1T0pHdzFoT2ZWMkVLYmdkMEpMMzlSR25pMHJPUGxSYWVcLzcwcWNIZStoST0iLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiWVhqXzRaSlN0VzNBX2hHSnl5QzJ3QSIsInN1YiI6Ijg4NjE4MzQwLTUwYTEtNzA4ZC1kNzAxLWI0YzBiNWMzZDFlMiIsImNvZ25pdG86Z3JvdXBzIjpbIkRldmVsb3BlciJdLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtd2VzdC0yLmFtYXpvbmF3cy5jb21cL3VzLXdlc3QtMl9NcGptNkJBNHMiLCJjb2duaXRvOnVzZXJuYW1lIjoiZGV2Iiwibm9uY2UiOiJNdVltRTNoVDVxR2w2Y3J4OGVUYWRxODVGYzdSTXAtYTZIV1JZRVNGQUZFIiwib3JpZ2luX2p0aSI6IjczYzk4ZDI0LTFjNDEtNDE2YS1iZDM4LTBjYmI4ZDM2N2Q1YiIsImF1ZCI6IjQ1ajk1bHVyYTMwMXMwYnN2M21pZDI2dm9vIiwiZXZlbnRfaWQiOiI0NDYyZTcxMy02Y2EzLTQ1OGQtYjlhYy1hMjQyOTg3ZGNhN2MiLCJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTc0OTIyMTMwOSwiZXhwIjoxNzQ5MjI0OTA5LCJpYXQiOjE3NDkyMjEzMDksImp0aSI6ImE0MzllNWNkLWY5ODctNDE2YS04ZmQ5LWQyYzg5YmVkMzY4ZCIsImVtYWlsIjoic2Vhbi5nbGFudHpAZ21haWwuY29tIn0.XusSMFwwapkv8nrb63I1OrIybv8C2m3UUMs0aPgL1K0O0Ob4M8QEe7002RzGM1lD522kjKtplpgcjCKogo1K8QMplWYb8w8-o9-9y9W2oBbFnZoe3C--OXY49R2_lrJSNUEYF_TTaU8Iga0DVDxksIgWvBz7jMjkSCF6p2oYYwLP_8dEvu_jrSbyK3JN0N321oC4THXJfy4LyflWVQMxSMuvLnClyV0Z9ATydsA3zaiRoPESFiJr5y5pyDsP9vdwwSEDUdXOGAgz8IKfu6J6xXgHfywPbUz_G8m3NQ-6BjNo69KstBj3n6fklAsCKhlmfiaAg2HeIsMSuP1AYx4txQ&post_logout_redirect_uri=https%3A%2F%2Fscada.nlineenergy.com%2Fdata%2Ffederate%2Fcallback%2Foidc&state=eyJraWQiOiJrMSIsImFsZyI6IkhTMjU2In0.eyJqdGkiOiJueW9GenBaenZvZm8zSzgxQmF4YTZZTExhRnBVdkNOMTZjS3hqUHBSOVY4IiwidXJpIjoiL3dlYi9jb25maWcvc2VjdXJpdHkuaWRwX2FkYXB0ZXJzIn0.2Wys4K8jnQ85ublStfJapjktHlG9JE3jgCOgII5MKq8


https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/login?client_id=45j95lura301s0bsv3mid26voo&id_token_hint=eyJraWQiOiI1T0pHdzFoT2ZWMkVLYmdkMEpMMzlSR25pMHJPUGxSYWVcLzcwcWNIZStoST0iLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiWVhqXzRaSlN0VzNBX2hHSnl5QzJ3QSIsInN1YiI6Ijg4NjE4MzQwLTUwYTEtNzA4ZC1kNzAxLWI0YzBiNWMzZDFlMiIsImNvZ25pdG86Z3JvdXBzIjpbIkRldmVsb3BlciJdLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtd2VzdC0yLmFtYXpvbmF3cy5jb21cL3VzLXdlc3QtMl9NcGptNkJBNHMiLCJjb2duaXRvOnVzZXJuYW1lIjoiZGV2Iiwibm9uY2UiOiJNdVltRTNoVDVxR2w2Y3J4OGVUYWRxODVGYzdSTXAtYTZIV1JZRVNGQUZFIiwib3JpZ2luX2p0aSI6IjczYzk4ZDI0LTFjNDEtNDE2YS1iZDM4LTBjYmI4ZDM2N2Q1YiIsImF1ZCI6IjQ1ajk1bHVyYTMwMXMwYnN2M21pZDI2dm9vIiwiZXZlbnRfaWQiOiI0NDYyZTcxMy02Y2EzLTQ1OGQtYjlhYy1hMjQyOTg3ZGNhN2MiLCJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTc0OTIyMTMwOSwiZXhwIjoxNzQ5MjI0OTA5LCJpYXQiOjE3NDkyMjEzMDksImp0aSI6ImE0MzllNWNkLWY5ODctNDE2YS04ZmQ5LWQyYzg5YmVkMzY4ZCIsImVtYWlsIjoic2Vhbi5nbGFudHpAZ21haWwuY29tIn0.XusSMFwwapkv8nrb63I1OrIybv8C2m3UUMs0aPgL1K0O0Ob4M8QEe7002RzGM1lD522kjKtplpgcjCKogo1K8QMplWYb8w8-o9-9y9W2oBbFnZoe3C--OXY49R2_lrJSNUEYF_TTaU8Iga0DVDxksIgWvBz7jMjkSCF6p2oYYwLP_8dEvu_jrSbyK3JN0N321oC4THXJfy4LyflWVQMxSMuvLnClyV0Z9ATydsA3zaiRoPESFiJr5y5pyDsP9vdwwSEDUdXOGAgz8IKfu6J6xXgHfywPbUz_G8m3NQ-6BjNo69KstBj3n6fklAsCKhlmfiaAg2HeIsMSuP1AYx4txQ&logout_uri=https://scada.nlineenergy.com/data/perspective/client/nline-cloud-scada&post_logout_redirect_uri=https://scada.nlineenergy.com/data/federate/callback/oidc&state=eyJraWQiOiJrMSIsImFsZyI6IkhTMjU2In0.eyJqdGkiOiJueW9GenBaenZvZm8zSzgxQmF4YTZZTExhRnBVdkNOMTZjS3hqUHBSOVY4IiwidXJpIjoiL3dlYi9jb25maWcvc2VjdXJpdHkuaWRwX2FkYXB0ZXJzIn0.2Wys4K8jnQ85ublStfJapjktHlG9JE3jgCOgII5MKq8

I've also tried with the logout uri being the same as the redirect uri and also omitting it entirely. Similar issues, it keeps redirecting to a login page when it gets the additional params it is not expecting.

Here are the logout urls I've tried to no avail

https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/logout

https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/logout?client_id=45j95lura301s0bsv3mid26voo

https://us-west-2mpjm6ba4s.auth.us-west-2.amazoncognito.com/logout?client_id=45j95lura301s0bsv3mid26voo&logout_uri=https://scada.nlineenergy.com/data/perspective/client/nline-cloud-scada