Old Meets New: Single Sign On Support

Merging Local Identity With Online Identity

Modern online Identity with Azure, Google, Okta.
Long-established manufacturing plants with onsite users
Multiple parties (customer staff, your staff, vendor staff, …)

Simplify this problem with Agilicus AnyX Unified Authentication.

Local Identity

The Challenge

Single Sign On For All, Unlike Identities

Industrial environments are renowned for being out of step with other Information Technology strategies and implementations. It is a common configuration in any Industrial Control System to find a system which has local users (Local Identity). It might be an isolated Microsoft Active Directory. It might be a single machine with local users. And, it is the only sign-on identity the plant operators have available to them.

As a system integrator, your job is to safely, securely, support all of your customers. To reduce cost and decrease mean-time-to-repair, this means remote access. The traditional “don’t ask, don’t tell” method is a shared password, a VPN. However, the risk to all business’ involved is too high: no multi-factor, full wide-open access, possible leakage across sites, risk of previous staff. This method is no longer acceptable.

To make matters more complex, you may need to share access with the manufacturer, or the customer’s own staff. Installing the VPN software, managing the overlapping IP, managing users, passwords, the effort/reward ratio is not here. There has to be a better way.

With Agilicus AnyX we can achieve three key objectives:

Single-Sign-On All Users
The Agilicus AnyX connector facilitates a non-shared account, no-new account, single-sign-on expierence (with multi-factor authentication), regardless of whether a user is authenticated by a local account (Local Identity) in the plant, the identity system of a partner/manufacturer/contractor, or your corporate account.
Concurrent Access
Unlike a VPN environent which creates a layer-3 adjacency, and thus the risk of overlapping IP address, the Agilicus AnyX platform operates on top of HTTPS WebSocket: no layer-3 adjacency, no change in routing tables, no concern about overlapping IP. In turn this means you can operate on multiple customers simultaneously without a ‘login’ step.
Connectivitey as a Service
Flip the script. Instead of remote access being a necessary burden, make it a sellable service to your customer. Their local plant identity, their HMI, available to them on any device, any network, any time. This can be an upsell to your service rather than a cost of business.

The Solution

Agilicus AnyX: Zero Trust For Industrial Control Systems

Agilicus AnyX provides a unique Zero Trust architecture which is ideal for remote plant access. It allows you to safely use, simply use, remote desktop resources, HMI, PLC, SSH, Web dashboards, etc.. To use them as a first-party employee. To use them as third-party. On any device, tablet, laptop, phone. On any network. Without a VPN. With perfect per-user authentication and audit.

Agilicus AnyX, in addition to supporting any OpenID Connect identity provider, can prove local identity agaisnt any authentication source inside the plan. Without exposing it to the Internet.

In the diagram below, we show three types of user. Support staff work for the system integrator, for us. Contractor staff might be partners of ours, other partners of the customer, the original equipment manufacturer, etc. And, customer staff are their team members. In this example, we assume that the system integrator uses Microsoft Office 365, that the support staff use a combination of Google Workplace, Microsoft Azure Active Directory, and bespoke identity systems like Okta. These users have modern single-sign-on available, unified by the Agilicus AnyX.

Notably though, in the diagram, we have the Customer staff. They are authenticated by the on-site Active Directory (or even local machine accounts). In the example below we assume an HMI machine in Site-1 has these accounts, and on it we install the Agilicus Connector.

All three types of user will now see a peer experience: a unified sign on, a unified multi-factor, and, direct access to the HMI or PLC in either site.

58db3588 customer provided local authentication.drawio

In the example diagram, no on-site changes are needed. No changes in configuration. All connections are outbound-only through the firewall. No new users, no changes in training. No shared accounts. Local Identity with Cloud Identity. Compliance and simplicity together.

Key features to highlight include:

No software to install. Works in any web browser. Tablet, Mobile. Desktop. Windows. Linux. Mac.
Stop the truck, pull over, pull out tablet, 1 click sign in, solve the issue.
No passwords to remember or share. No network addresses to disseminate. Each user sees an icon for each resource they have permission to use.
Securely sign-in as you to do any enterprise application. Use code-based or biometric-based second factor authentication. Regardless of user type: multifactor for employees, contractors, vendor support.
Agilicus AnyX provides Single Sign On with existing enterprise credentials, per user. No passwords to remember or share.
Contractors and support staff can request access when needed, you will receive a push-notificaation to accept or reject.
All protocols are converted to HTTPS over WebSocket, with strong SSL/TLS encryption. Full compliance for your security controls.

Data Flow

Local Identity Theory Of Operation

The Agilicus Connector runs inside the network. It exposes an end-to-end encrypted authentication (encrypted from the user’s browser to network). When the user signs in via this Local Identity provider, the credentials are presented to the local machine. If the user can sign in, they are allowed. In this fashion it is the same as being on site.

A user opens their browser. If they are not signed in, they are challenged to prove their identity, optionally with multifactor authentication. This identity is compared against permissions, and, an access token (JWT) is generated. A connection is generated to the Agilicus AnyX cloud, presenting this access token. This connection is then forwarded to the ultimate resource (PLC, HMI, etc.) via reverse tunnelling down the HTTPS outbound connection.

The end user sees this as a simple click on an icon in a browser. The desktop appears instantly. An example data flow for VNC is shown below.

VNC Remote Desktop Data Flow

Would You Like To Learn More?

Agilicus Has The Expertise

The Agilicus team has the expertise, and loves to discuss Zero Trust implementations.

The Chat button on the lower left goes directly to the team, and, we invite you to speak with us.