Writing to Edge tags from a Central Gateway using OIDC authentication

Ignition
, ,
1

Hello,

For a project, I have the following architecture:

  • One Ignition Standard Gateway, connected to an LDAP usingOpenID Connect

  • On a remote site, an Ignition Edge Panel

  • A Gateway Network connection configured between the two Gateways

Currently, from the central Gateway, I am able to read and write to the tags hosted on the Edge Gateway (since no security rules are applied yet).

I would now like to implement a more granular write-permission strategy, so that only certain users authenticated on OpenID Connect on the central Gateway (for example with an “Operator” security level) are allowed to write to specific tags hosted on the Edge.

Initially, it was not planned to connect the Edge Gateway to the LDAP. Therefore, I did the following on the Edge:

  • created local user accounts and local roles,

  • configured Security Level Rules to assign Security Levels based on those roles,

  • used the same Security Level hierarchy as on the central Gateway, with the goal of having matching and valid Security Levels on both Gateways.

However, this approach does not seem to work. It is not possible to grant write permissions from the central Gateway based on the Security Levels resulting from OIDC authentication.

Based on my investigations, since permission checks are evaluated on the Gateway hosting the tags (the Edge), the user authenticated via OIDC on the central Gateway is not recognized on the Edge, and therefore has no write permissions.

The intended architecture goal was:

  • under normal operation, to use the central Gateway with OIDC authentication,

  • in case of network failure or central Gateway unavailability, to allow local operation using local accounts on the Edge Gateway (degraded mode).

At this point, I am blocked in implementing the security layer correctly from the central Gateway. From what I understand, it would be necessary to also connect the Edge Gateway to the same LDAP / OIDC provider in order to allow writing from the central Gateway.

Can you please confirm if this understanding is correct?
Is there any other supported solution to achieve this use case without connecting the Edge Gateway to the LDAP?

2

Your desired outcome should be possible via the Trust Remote Security Levels setting within Service Security (appropriate Security Zone) on the Edge Gateway:
From the docs @ Service Security:

As of 8.1.2, the Trust Remote Security Levels setting allows users to opt into trusting the Security Levels of remote Gateway users when remote Gateways read, write, and subscribe to local tags. If checked, security levels passed from the remote Gateway will be used for determining access to tags on the local Gateway.

I encourage you to set up the set up the same auth strategy on the Edge gateway(s), with a (hard) failover to an internal user source. Then, the static logins will work only when the network is down.

2 Likes
3

Thank you so much, I hadn't noticed that feature, it works perfectly!

1 Like