Perspective Google Single Sign On with SAML
When we say Perspective is finally pushing SCADA software into the year we are actually living in, we mean it! For as long as we have been in the integration world, it feels like SCADA software is fighting to get to where the rest of the world was 10 years ago. With Perspective’s integration of Security Assertion Markup Language (SAML) Providers, we are finally to the year 2019.
What is SAML?
Put simply, SAML is a way to enable single sign-on to different software packages. It provides a secure and certificated way for systems to communicate with a known source of user information to handle login and user authentication. For more information, check out the Wikipedia article.
You have probably been using the built-in Ignition security already why do you need to care about SAML? SAML provides a more secure system than simply using usernames and passwords. It uses Identity Providers with secured and certificated communication to verify user information, and reduces the number of systems that can be compromised. This is accomplished by having the identity provider as the source of truth rather than a local database that can more easily be compromised.
SAML also allows you to incorporate many different services into a single sign-on scheme by using SAML authentication to an Identity Provider in each application.
What is an Identity Provider?
An Identity Provider is the main repository for all of your user information. In the case of this post it is Google. It could also be a third party provider like Okta, OneLogin, Active Directory Federation Services, or many others on the market. The Identity Provider stores all of your user information and authenticates any login requests before validating users can access the system. Ignition can also be its own Identity Provider when using the default settings, however this would still require managing user credentials in multiple locations.
How did we decide on Google for our Identity Provider?
Corso Systems uses Google G-Suite for our email, and Google also runs Google Cloud Identity enabling SSO and SAML integrations. Since we don’t use Active Directory, we haven’t been able to get Single Sign On (SSO) in Ignition until now. This is the post showing you how to set it up! It’s going to get deep because we want to make sure we have your questions covered. If you run into any hurdles, please feel free to reach out at firstname.lastname@example.org and we will answer your questions, and can help you set up SSO and SAML integrations for your company as well.
Here is the overview:
- Enable Google Cloud Identity
- Set up SSO in your Google Admin Console
- Add an Identity Provider in your Ignition 8.0 Gateway
- Setup a Custom SAML Application in your Google Admin console
- Create a Perspective Project using the Identity Provider
- Test it out and enjoy the power of SSO!
A prerequisite and a note…First you need to use SSL on the gateway so you can get an https:// URL for Google’s configuration. You can use a self signed certificate, or simply access your gateway with https://ipaddress:port with the SSL port you have configured, but you need to use this to access the gateway. The note is the identity provider will currently only work with Perspective applications. It won’t log you into the gateway, or Vision clients with SSO.
Step 1: Google Cloud Identity
First you will want to enable Google Cloud Identity on your G-Suite Account. Google has a quick walkthrough of this process here. You will need to be an admin on your G-Suite account.
Step 2: Google Single Sign-On
Once you have that set up you first need to configure SSO in your Google Admin page. Under the admin menu select Security->Settings:
Scroll down a bit and select “Set up single sign-in (SSO):
This will give you the URLs and info for SSO:
To make life easy on the Ignition side click the Download IDP Metadata button and save this file somewhere handy, we’ll need it in a second.
Step 3: Add an Identity Provider in your Ignition 8.0 Gateway
Next login to your Ignition gateway, go to the Configuration tab, and under Security, click “Identity Providers”:
Click the “Create New Identity Provider” link, then select Security Assertion Markup Language 2.0 as the type of provider you wish to create, and click the “Create” button:
Fill out the basic details of you provider to give it a name. Next scroll down to the second section for “Import Provider Metadata” and under the “Import from File” section, select the IDP Metadata file you downloaded earlier, and import it. It should populate all of the fields and the certificates for you.
Take note of the ACS URL listed on the settings page, on our gateway it is https://admin.corsosystems.com:8043/data/federate/callback/saml. We will also make an assumption for the Entity ID in a later step, if you run into a 403 App not Configured for User error, click the link in the blue box and look for the “entityID” field in the XML file:
EntityID (ours is https://admin.corsosystems.com:8043) we will need this later:
Save here and you are one step closer.
The last step in the gateway configuration is to add a user. Once you are back on the page listing the identity providers, open the “More” dropdown for this Identity Provider, and select “User Grants”:
Go through this page to add a user, and map it to an email address in your G-Suite account. Here we are using email@example.com You can select the security configuration here, we will use defaults for the time being:
Step 4: Setup a Custom SAML Application in your Google Admin console
The next step is to add a custom SAML application to your Google G-Suite. This allows Ignition to interact with this application for the SAML login, and this application uses settings from Google to allow it to interact with SSO. In G-Suite, under the menu select “Apps”->”SAML Apps” In the bottom right of the screen, click the “+” button to add a new app, then “Setup My Own Custom App”:
Step 2 should auto populate with the information from Google SSO, click next, then on step 3 give your application a name, and add a logo if you would like:
On Step 4 you will use the ACS URL and entityID value from the Ignition gateway. Enter the ACS URL into the first field, then the entityID into the second. Also check the box for the signed response to return information back to Ignition including the email address used to login. On step 5 you can add any custom attribute mapping if you would like, for this tutorial we just left it blank.
Step 5: Create a Perspective Project using the Identity Provider
Now you should have everything you need on the Google side, go back to your Gateway, and into your Perspective Project (see this post for a detailed walkthrough on setting that up). Under the project Properties, under the Perspective->General menu, select the Identity provider we created earlier, in this case “Google”:
Under permissions select what you would like to use for security permissions, in our case we are using “Authenticated”
Next add a view, add this view to your session, save and publish your project. When you open the Perspective App it will ask you to sign in with your Google Credentials. Once you have authenticated your account you will see the view displayed. This works the same as if you logged in using another account before adding SAML through Google Cloud Identity!
Step 6: Test it out and enjoy the power of SSO!