I need to set up Single Sign On using Active Directory across Ignition gateways and projects within those gateways. Currently I only have access to two gateways. One is on my computer locally, and the other in a different location that I do not have physical access to. I am working on getting access to at minimum one other one for testing purposes.
I have contacted my IT department to setup SSO on the locally hosted gateway, and from my understanding of the docs and the ticket I submitted, IT will give me OpenID connect or Oauth2 credentials to use for authentication.
This could be a question for IT, but would the credentials given work for all of the gateways (including ones on different networks but under the same domain name), or would I need to get credentials for each gateway individually?
Another question, is this set up possible? If it is, how exactly would I pass authentication to another gateway? I had a look at the docs and really the only thing I could find is gateway networks, but I am not sure what the correct way to do this is.
Instead, you set up as many gateways as you have to point back to your central AD instance.
When an end user needs to log in, they'll be automatically sent to the identity provider (AD in this case) to perform any login/authorization steps needed) - Ignition never sees the credentials. Then the identity provider redirects the user back to the gateway and essentially says "okay, Alice/Bob are allowed to login, here's the roles they have".
The actual process of setting up the IdPs is annoyingly convoluted, but usually something IT departments have a fair amount of experience with:
If this is the case, you would set up a new Identity Provider, whereby the OIDC provider would handle the SSO across multiple gateways.
While it’s possible to link OIDC with to an AD User Source (within Ignition), I recommend you work with IT to ensure that everything you need for authentication (especially user Roles) can be returned by the OIDC provider, and abandon the AD source.