Skip to content

Appendix

Security settings

Change Identity Provider and configure MFA

The MindSphere Identity Provider WebKey supports Multi-Factor Authentication (MFA). Siemens Business Units can also use the Corporate Entitlement Service (CES) as an Identity Provider.

Tenant administrators can enable or disable the Multi-Factor Authentication (MFA) for their tenant. You have the option to select the appropriate authentication methods:

  1. Default Identity Provider configuration via WebKey with user name and password (without MFA)
  2. Identity Provider configuration via WebKey with MFA (via Mail)
  3. Identity Provider configuration via Corporate Entitlement Service with MFA (only for Siemens Business Units)

If you want to change the authentication method, please send an email to provisioning@mindsphere.io with the following content:

Note

We recommend changing your password regularly. In addition, using MFA increases security.

Subject: Activation of MFA for tenants

Dear MindSphere Provisioning Team

Please set the authentication method for the tenant given below to the authentication method given below.

Tenant name: <your tenant name here>

Authentication method: <option: 1, 2, or 3>

MindSphere session handling

You can use an application up to a maximum of 12 hours without logging in again to MindSphere. This section describes the MindSphere session handling in detail.

Session types

When a user is logged into MindSphere, there are two types of sessions:

  • The Application Session
  • The MindSphere Session

Application sessions

Each application in MindSphere is identified by a unique host name. For Fleet Manager for example: -fleetmanager.eu1.mindsphere.io. Every application has its own application session. In MindSphere, the idle timeout for these application sessions is 30 minutes.

During usage of the application, each user interaction with the application backend resets the application session idle timer. If the user does not interact with the application backend for an extended time period and this time period exceeds the idle timeout, the application session ends. A new application session needs to be established.

If the user still has a valid MindSphere session (see below), this user will automatically receive a new application session, with no additional effort is needed. Otherwise, the user is redirected to the configured single sign-on system. This typically results in a redirection to the login page of the configured identity provider, for example WebKey.

MindSphere session

Each authenticated user in MindSphere has a MindSphere session. This session is also called "MindSphere IAM session". As long as a user has a valid MindSphere session, changing applications is possible without re-authentication.

The MindSphere session idle timeout is 8 hours. The idle timeout counter is reset each time when the authenticated user contacts the MindSphere IAM (Identity and Access Management) service. In particular, when the user switches to a MindSphere application that has not been used for more than 30 minutes (application session idle timeout).

The total duration of a MindSphere session cannot exceed 12 hours. When the MindSphere IAM session has expired, the user is redirected to the configured single sign-on system. This typically results in a redirection to the login page of the configured identity provider, for example WebKey.

Session Persistency

MindSphere supports the 2 following modes of session persistency:

Enabled session persistency With session persistency enabled the user session is not terminated by closing the browser window. This means there is no need re-authenticate when accessing your tenant for up to 36 hours after closing and reopening your browser. Please note that the session still expires after 12 hours of inactivity. Enabled session persistency is currently not supported for tenants with multi factor authentication enabled. Enabled session persistency is the default behavior in all tenants created as of Aug 23rd 2020 onwards.
Disabled session persistency With session persistency disabled the user session is terminated by closing the browser window. This means that authentication is necessary each time a tenant is accessed. This can be a demand, for example, in case of increased security requirements where a computer is shared between different users. Disabled session persistency is the default behavior in all tenants created prior to Aug 23rd 2020.

To change the session persistency behavior of your tenant, please reach out to support team with the subject "Session Persistency Configuration Change". We will configure session persistency for your tenant according to your requirements.

Logout problems in IE11

Some users experience logout problems when using Internet Explorer 11. After clicking logout, they get redirected to the Launchpad and can continue working in MindSphere.

  1. Add "https://*.mindsphere.io" to the "trusted sites" on the "security" tab and check whether logout works as expected afterwards.
    Trusted sites window
  2. If step1 does not work: Overwrite privacy settings as shown below ("privacy tab" → Settings "Advanced" → see screenshot of "Advanced Privacy Settings); and check whether logout works as expected afterwards.
    Internet Options advanced privacy settings

Any questions left?

Ask the community


Except where otherwise noted, content on this site is licensed under the MindSphere Development License Agreement.


Last update: April 22, 2022