Old Meets New: Single Sign On Support
Merging Local Identity With Online Identity
Modern online Identity with Azure, Google, Okta.
Long-established manufacturing plants with onsite users
Multiple parties (customer staff, your staff, vendor staff, …)
Simplify this problem with Agilicus AnyX Unified Authentication.
The Challenge
Single Sign On For All, Unlike Identities
Industrial environments are renowned for being out of step with other Information Technology strategies and implementations. It is a common configuration in any Industrial Control System to find a system which has local users (Local Identity). It might be an isolated Microsoft Active Directory. It might be a single machine with local users. And, it is the only sign-on identity the plant operators have available to them.
As a system integrator, your job is to safely, securely, support all of your customers. To reduce cost and decrease mean-time-to-repair, this means remote access. The traditional “don’t ask, don’t tell” method is a shared password, a VPN. However, the risk to all business’ involved is too high: no multi-factor, full wide-open access, possible leakage across sites, risk of previous staff. This method is no longer acceptable.
To make matters more complex, you may need to share access with the manufacturer, or the customer’s own staff. Installing the VPN software, managing the overlapping IP, managing users, passwords, the effort/reward ratio is not here. There has to be a better way.
With Agilicus AnyX we can achieve three key objectives:
The Solution
Agilicus AnyX: Zero Trust For Industrial Control Systems
Agilicus AnyX provides a unique Zero Trust architecture which is ideal for remote plant access. It allows you to safely use, simply use, remote desktop resources, HMI, PLC, SSH, Web dashboards, etc.. To use them as a first-party employee. To use them as third-party. On any device, tablet, laptop, phone. On any network. Without a VPN. With perfect per-user authentication and audit.
Agilicus AnyX, in addition to supporting any OpenID Connect identity provider, can prove local identity agaisnt any authentication source inside the plan. Without exposing it to the Internet.
In the diagram below, we show three types of user. Support staff work for the system integrator, for us. Contractor staff might be partners of ours, other partners of the customer, the original equipment manufacturer, etc. And, customer staff are their team members. In this example, we assume that the system integrator uses Microsoft Office 365, that the support staff use a combination of Google Workplace, Microsoft Azure Active Directory, and bespoke identity systems like Okta. These users have modern single-sign-on available, unified by the Agilicus AnyX.
Notably though, in the diagram, we have the Customer staff. They are authenticated by the on-site Active Directory (or even local machine accounts). In the example below we assume an HMI machine in Site-1 has these accounts, and on it we install the Agilicus Connector.
All three types of user will now see a peer experience: a unified sign on, a unified multi-factor, and, direct access to the HMI or PLC in either site.
In the example diagram, no on-site changes are needed. No changes in configuration. All connections are outbound-only through the firewall. No new users, no changes in training. No shared accounts. Local Identity with Cloud Identity. Compliance and simplicity together.
Key features to highlight include:
Stop the truck, pull over, pull out tablet, 1 click sign in, solve the issue.
Data Flow
Local Identity Theory Of Operation
The Agilicus Connector runs inside the network. It exposes an end-to-end encrypted authentication (encrypted from the user’s browser to network). When the user signs in via this Local Identity provider, the credentials are presented to the local machine. If the user can sign in, they are allowed. In this fashion it is the same as being on site.
A user opens their browser. If they are not signed in, they are challenged to prove their identity, optionally with multifactor authentication. This identity is compared against permissions, and, an access token (JWT) is generated. A connection is generated to the Agilicus AnyX cloud, presenting this access token. This connection is then forwarded to the ultimate resource (PLC, HMI, etc.) via reverse tunnelling down the HTTPS outbound connection.
The end user sees this as a simple click on an icon in a browser. The desktop appears instantly. An example data flow for VNC is shown below.
Would You Like To Learn More?
Agilicus Has The Expertise
The Agilicus team has the expertise, and loves to discuss Zero Trust implementations.
The Chat button on the lower left goes directly to the team, and, we invite you to speak with us.