User authentication
User authentication validates the identity of a subject, which can be a human user, a system, or an application. The AuthenticationService is designed to be extensible by supporting a variety of authentication schemes. In addition, the gauth palette (Google Authenticator app) provides a two-factor mechanism that requires a user to enter their password as well as a single-use token to authenticate.
All stations must have an AuthenticationService, with the Authenticator property for each user set to one of the supported schemes.
When a station attempts a connection, it checks the user's login credentials: user name, password, and token (if using the Google Authenticator app) against the users under the station's UserService. This process is called user authentication. The actual process depends on the authentication scheme and on the type of connection:
Workbench-to-station (FoxService)
When a user opens a station (), Workbench prompts for user name and password (and token if using the Google Authenticator app). When using Niagara 4, this type of authentication defaults to the DigestScheme. Connections to older software versions (NiagaraAX) default to the AXDigestScheme.
HTTPs browser-to-station (WebService)
When a user opens a station from a browser, the system prompts for user name and password (and token if using the Google Authenticator app). The authentication mechanism used depends on the scheme selected in the AuthenticationService.
Station-to-station (FoxService)
As for Workbench-to-station connection, a station-to-station connection requires an assigned authentication scheme and a pre-configured user name and password. The role assigned to a station user (machine-to-machine communication) should grant only the permissions needed by the accessing station.