27
Views
6
Comments
Solved
Auto login

Hey guys , I have a question about automating some wall monitors that will be running outsystems reports. Here is the scenario.

1. there will be 50 or so wall monitors running 24/7 in 3 different cities. These monitors will show a 1 page report that auto refreshes. No human interaction. The reports are already built but can be updated as needed. All computers are on our internal network.


2. Each wall monitor will have its own computer that will reboot automatically every night and launch chrome and bring up the specific report.The data in these reports is not very sensitive and will be viewed by hundreds of people but don't want to use anonymous.


3. We use a third party service (OneLogin) on top of of the outsystems login for authentication. I could bypass Onelogin and just use outsystems if it helps.


Has anyone done something similar ? Want to automate the authentication/login. Hopefully without storing credentials on the computer. Some approaches being considered.


1. Turn on anonymous but use a hash for security. I have used this approach to generate pdfs in a timer. Not sure how the hash would be obtained by the wall monitor.


2. White list ip addresses instead of logging in.


3. Trying to use the Onelogin API.



I would appreciate it if anyone could share similar experience or suggest an approach.

mvp_badge
MVP
Rank: #104
Solution

Hi Mark.

I think you could try to use persistent login as a approach to your scenario. After logging in for the first time in the application the end user will not have to provide the credentials again. You can find more information at the link below. 

https://success.outsystems.com/Documentation/11/Developing_an_Application/Secure_the_Application/End_User_Management/End_Users_Authentication/Persistent_Login

Rank: #852

Hi Andre. Thanks for the response. I hadn't really considered persistent login because I didn' t think you could set it to never expire. I see the default is 10 days. We are on the outsystems cloud. Do you know if I can change the default from 10 days to a much bigger number (or never) without effecting the persistent login for regular users ?


I'm looking in to the setting for Onelogin to see if I can do it with them. I think this approach will work with them but still testing.

Rank: #852

As far as I can tell , you cannot change the remember me setting on a per user/group basis. I don't want all users to be logged in forever. Only the special service account that will be used to run these wall monitors.


I can however do that in OneLogin. So I think the general approach is still valid for me. I think it would be great if outsystems let you change this setting based on security group. Its a little bit of a fringe case but I'm sure many other people could use that functionality. I will mark the original suggestion as the solution. Thanks guys.

There is another option that I have used in a pre Outsystems application for this same scenario but the concept should work in Outsystems as well.

Use a cookie to store a login token for a specific user role and on the login page check for the cookie and if present bypass the login page and perform a Login via code.

* On first login if user belongs to role save a cookie with unique identifier, save the identifier in an entity along with any other details you need such as userid, the clients computers IP address (particularly if static), login time etc

* On next login if cookie is present compare with the entity data and if a match then bypass the login page and perform a login in code. Do a check in the preparation of the login page, issue the Login  action from System which will let you login with just the userid and no password. Optionaly check the IP address of the client is a match with the last IP or maybe within an IP range for extra security.

* Divert to the required page either by using the originalURL browsed to before the login page or alternatively your fixed dashboard page

* Have a control screen where an admin can remove an entry from the entity posted to above to remove access from a device where needed

This way you have 100% control over how the login is treated for anything with that user role without having to change any other security for other users. As long as you have everything forced to use https and don't do silly things like just storing the userid in the cookie then the cookie process should be fairly secure.

Rank: #852

Thanks Jeanene. Because we use a third party service for authentication, I don't have control over the login page. I feel pretty confident that using a persistent token and setting up a policy for that one user/account will work for me. If it doesn't work out I will revisit this and look into your suggestion more.