Open for Voting

Create option to disable default Orion login while using SAML auth

Hey all,

Like the subject says, I would like a way to disable the default Orion username/password form while SAML authentication is enabled. We recently integrated our Solarwinds with Okta for authentication, and enabled a Solarwinds tile in Okta via reverse proxy. Now we are able to load Solarwinds with our phones while not on the VPN, but this has created a bit of a security risk. Since the Orion login is still enabled, this opens potential vulnerabilities to brute-force attacks. Additionally, the Okta integration was a bit confusing for folks since most apps, post-Okta integration, just take you straight to okta while on VPN, or forward you to okta for authentication. The Okta SSO button is located at the bottom of the prompt, which for most of our folks isn't a problem, but is for some.

In order to increase security, I think the username/password fields should be hidden if SAML auth is configured, and the username/password should only be displayed in the event of a SAML failure.

Thanks,
Bryan

  •  I'd also be interested in having this as a built-in option.  In my case I'm only interested in disabling the default login boxes on an Additional Web Server, but the general idea is the same.  I'm going to try the steps you recommended, as well as , and see how it goes.

  •  Excellent outcome! Kudos to your co-worker. Keep in mind that these edits may be overwritten during future upgrades. I will track this as a Feature Request for any future interest.

  •  So we ended up making the change, but hiding the div container on line 78 hid the entire form, including the SAML SSO button. Instead, I worked with a co-worker and we took a look at the C# file for the login.aspx. He found the function for redirect and added the following lines as an else on line 473. 

    			else 
    			{
    				if (string.IsNullOrEmpty(successfulLogout))
    				{
    					DoRedirect("/Orion/SamlInit.aspx");
    				}
    			}


    This allows logout to loop back to the original Login.aspx and allow local login if SAML fails or a local account is required. It also doesn't remove any functionality, and upon click our Okta tile, entering the URL, or clicking a favorite will auto-redirect to the SamlInit for SSO auth.

    Hopefully a future version of the Orion web site can implement something similar to this in the pre-compiled version. Hope this helps anyone else that is interested in auto-SAML auth.

  • Thanks  I'll give that a try and report back. The only thing I could think of that would be better would be configuring a redirect for the login.aspx straight to the SAML authentication page/function.

  •  To edit the login.aspx file requires disabling the precompiled website and running the configuration wizard. See additional details here on how to do that here. https://support.solarwinds.com/SuccessCenter/s/article/Disable-pre-compiled-website-to-allow-optimization-to-run-and-be-skipped?language=en_US

    Once done, the login.aspx file can then be edited as follows:

    Changing line 78 from 

    <div class="sw-login-dialog-container">

    To

    <div class="sw-login-dialog-container hidden">

    Note these changes may be reverted during a future upgrade. I have not tested SAML authentication with the above method. If you could report your findings it would be greatly appreciated!