All of our projects are configured to execute a system.security.switchUser script after 5 minutes of inactivity to log in with a local account with view-only access. We recently configured SSO, so this script is no longer working with the non-Active Directory account. We have tried using the credentials of an AD account, but the switch user function does not work. We have tried the following formats without success.
SSO is not recommended to be used in Vision anymore. I believe there's some security implications/concerns. If you do want to continue using it though, I don't have a solution for your problem. I would think this defeats the purpose of SSO if you're logging the user out after 5 minutes anyway.
This is for a project on an HMI in a winery that has controls for life safety equipment. If a user with control privileges forgets to log out, we want to switch to a user with view only access.
So why inherently trust the logged in user at all? I would disable SSO and use auto-login on the project with a read-only user then make the user login with their credentials every time with an inactivity timeout. (At least this is how I do it at all the plants I do).
Crucially, taking advantage of Vision's user sources allowing "soft" failover, so that you can have insecure/guest credentials in an "internal" user source and can leave your AD with strong/secure passwords.
This is exaclty what I do. Local user source with a "readonly" user who belongs to no groups/roles. My AD user source has a soft failover to the local user source so the autologin with the readonly user works and my autologout script switches back to this same user. Works well.
The majority of our users are using personal laptops for access, so we would like to leave SSO enabled. For the shared devices in our wineries, since we cannot use the switchuser function, we would like to use either system.security.logout() or system.util.exit() after x minutes of inactivity. However, if another user logs back in, they are not required to enter their SSO credentials. Is there a way to automate the clearing of their SSO authentication, so the next user is required to enter credentials on a shared device?
If you really want to go 2 directions with this to have laptops with SSO (which you now have several people with a lot of experience highly recommending you not use SSO), and still have shared devices that don't use SSO, you'll have to use inheritance on a parent project with all the resources on it, then change one of the projects to not use SSO (hopefully this is possible to split this) and override the few windows that handle the logon/logoff to allow it to use the switch user functionality to automatically log off the user.
Your best bet is to push back against this. Security and safety should never be compromised as the expense of convenience.