Change Identity Provider and configure MFA¶
The Insights Hub Identity Provider WebKey supports Multi-Factor Authentication (MFA). Siemens Business Units can also use the Corporate Entitlement Service (CES) as an Identity Provider.
Tenant administrators can enable or disable the Multi-Factor Authentication (MFA) for their tenant. You have the option to select the appropriate authentication methods:
- Default Identity Provider configuration via WebKey with user name and password (without MFA)
- Identity Provider configuration via WebKey with MFA (via Mail)
- Identity Provider configuration via Corporate Entitlement Service with MFA (only for Siemens Business Units)
If you want to change the authentication method, please send an email to firstname.lastname@example.org with the following content:
We recommend changing your password regularly. In addition, using MFA increases security.
Subject: Activation of MFA for tenants
Dear Provisioning Team
Please set the authentication method for the tenant given below to the authentication method given below.
Tenant name: <your tenant name here>
Authentication method: <option: 1, 2, or 3>
Insights Hub session handling¶
You can use an application up to a maximum of 12 hours without logging in again to Insights Hub. This section describes the session handling in detail.
When a user is logged into Insights Hub, there are two types of sessions:
- The Application Session
- The Insights Hub Session
Each application in Insights Hub is identified by a unique host name. For Insights Hub Monitor for example:
During usage of the application, each user interaction with the application backend resets the application session idle timer. If the user does not interact with the application backend for an extended time period and this time period exceeds the idle timeout, the application session ends. A new application session needs to be established.
If the user still has a valid Insights Hub session (see below), this user will automatically receive a new application session, with no additional effort is needed. Otherwise, the user is redirected to the configured single sign-on system. This typically results in a redirection to the login page of the configured identity provider, for example WebKey.
Insights Hub session¶
Each authenticated user in Insights Hub has a Insights Hub session. This session is also called "Insights Hub IAM session". As long as a user has a valid Insights Hub session, changing applications is possible without re-authentication.
The Insights Hub session idle timeout is 8 hours. The idle timeout counter is reset each time when the authenticated user contacts the Insights Hub IAM (Identity and Access Management) service. In particular, when the user switches to a Insights Hub application that has not been used for more than 30 minutes (application session idle timeout).
The total duration of a Insights Hub session cannot exceed 12 hours. When the Insights Hub IAM session has expired, the user is redirected to the configured single sign-on system. This typically results in a redirection to the login page of the configured identity provider, for example WebKey.
The following modes of session persistency are supported:
|Enabled session persistency||With session persistency enabled the user session is not terminated by closing the browser window. This means there is no need re-authenticate when accessing your tenant for up to 36 hours after closing and reopening your browser. Please note that the session still expires after 12 hours of inactivity. Enabled session persistency is currently not supported for tenants with multi factor authentication enabled. Enabled session persistency is the default behavior in all tenants created as of Aug 23rd 2020 onwards.|
|Disabled session persistency||With session persistency disabled the user session is terminated by closing the browser window. This means that authentication is necessary each time a tenant is accessed. This can be a demand, for example, in case of increased security requirements where a computer is shared between different users. Disabled session persistency is the default behavior in all tenants created prior to Aug 23rd 2020.|
To change the session persistency behavior of your tenant, please reach out to support team with the subject "Session Persistency Configuration Change". We will configure session persistency for your tenant according to your requirements.
Logout problems in IE11¶
Some users experience logout problems when using Internet Explorer 11. After clicking logout, they get redirected to the Launchpad and can continue working.
- Add "https://*.mindsphere.io" to the "trusted sites" on the "security" tab and check whether logout works as expected afterwards.
- If step1 does not work: Overwrite privacy settings as shown below ("privacy tab" → Settings "Advanced" → see screenshot of "Advanced Privacy Settings); and check whether logout works as expected afterwards.