About the SAML IdP Service
As of Niagara 4.9, there is added support for the SAML IdP Service. Setting up this service on your Supervisor station allows you to take advantage of SAML functionality without having to set up an external Identity Provider (IdP). Installing and configuring the service allows you to set up an internal IdP that works with the SAML Authentication Scheme.
The samlDP feature license is required
to run the SAMLIdPService.
Within the service is the Circle of Trust (COT) component. Once configuration is complete, the COT lists the collection of subordinate stations and the collection of users that are allowed to log in to those stations. For example, if a Supervisor that is connected to 100+ stations is using SAML authentication for just a few of them, you can group those few stations together within a Circle of Trust.
You can configure the service with multiple Circle of Trust components.
Additionally, you can add a remote station that is not in the NiagaraNetwork to any Circle of Trust, or specify other authentication schemes or other user prototypes that may be used when logging in.
Users not included in a Circle of Trust cannot log in to the station(s) specified in that COT. Such attempts to log in are rejected by the IdP.
CAUTION: Any user that has admin access to the SAMLIdPService can see the following sensitive information for all stations in the NiagaraNetwork:
Additionally, any user with admin write permissions on the SAMLIdPService can effectively control who logs in to all stations in the NiagaraNetwork, and with what permissions (to the extent allowed by the remote station for remote users). The recommended security best practice is that you treat this as a very sensitive role, assigning it only to highly trusted users who manage authentication. |
A provisoning job that is run on the Supervisor simplifies configuring subordinate stations to use SAML IdP as well.