Open for Voting

Create option to disable default Orion login while using SAML auth

Hey all,

Like the subject says, I would like a way to disable the default Orion username/password form while SAML authentication is enabled. We recently integrated our Solarwinds with Okta for authentication, and enabled a Solarwinds tile in Okta via reverse proxy. Now we are able to load Solarwinds with our phones while not on the VPN, but this has created a bit of a security risk. Since the Orion login is still enabled, this opens potential vulnerabilities to brute-force attacks. Additionally, the Okta integration was a bit confusing for folks since most apps, post-Okta integration, just take you straight to okta while on VPN, or forward you to okta for authentication. The Okta SSO button is located at the bottom of the prompt, which for most of our folks isn't a problem, but is for some.

In order to increase security, I think the username/password fields should be hidden if SAML auth is configured, and the username/password should only be displayed in the event of a SAML failure.

Thanks,
Bryan

Parents
  •  So we ended up making the change, but hiding the div container on line 78 hid the entire form, including the SAML SSO button. Instead, I worked with a co-worker and we took a look at the C# file for the login.aspx. He found the function for redirect and added the following lines as an else on line 473. 

    			else 
    			{
    				if (string.IsNullOrEmpty(successfulLogout))
    				{
    					DoRedirect("/Orion/SamlInit.aspx");
    				}
    			}


    This allows logout to loop back to the original Login.aspx and allow local login if SAML fails or a local account is required. It also doesn't remove any functionality, and upon click our Okta tile, entering the URL, or clicking a favorite will auto-redirect to the SamlInit for SSO auth.

    Hopefully a future version of the Orion web site can implement something similar to this in the pre-compiled version. Hope this helps anyone else that is interested in auto-SAML auth.

Comment
  •  So we ended up making the change, but hiding the div container on line 78 hid the entire form, including the SAML SSO button. Instead, I worked with a co-worker and we took a look at the C# file for the login.aspx. He found the function for redirect and added the following lines as an else on line 473. 

    			else 
    			{
    				if (string.IsNullOrEmpty(successfulLogout))
    				{
    					DoRedirect("/Orion/SamlInit.aspx");
    				}
    			}


    This allows logout to loop back to the original Login.aspx and allow local login if SAML fails or a local account is required. It also doesn't remove any functionality, and upon click our Okta tile, entering the URL, or clicking a favorite will auto-redirect to the SamlInit for SSO auth.

    Hopefully a future version of the Orion web site can implement something similar to this in the pre-compiled version. Hope this helps anyone else that is interested in auto-SAML auth.

Children
No Data