cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Create option to disable default Orion login while using SAML auth

Create option to disable default Orion login while using SAML auth

Hey all,

Like the subject says, I would like a way to disable the default Orion username/password form while SAML authentication is enabled. We recently integrated our Solarwinds with Okta for authentication, and enabled a Solarwinds tile in Okta via reverse proxy. Now we are able to load Solarwinds with our phones while not on the VPN, but this has created a bit of a security risk. Since the Orion login is still enabled, this opens potential vulnerabilities to brute-force attacks. Additionally, the Okta integration was a bit confusing for folks since most apps, post-Okta integration, just take you straight to okta while on VPN, or forward you to okta for authentication. The Okta SSO button is located at the bottom of the prompt, which for most of our folks isn't a problem, but is for some.

In order to increase security, I think the username/password fields should be hidden if SAML auth is configured, and the username/password should only be displayed in the event of a SAML failure.

Thanks,
Bryan

8 Comments

As an interim solution I bet there's a way for you to edit the html or css of the login page to move the form down or remove it.

I too am interested in a solution for this. I have a client with an Orion installation with SAML thru keycloak and the users keep trying the normal login instead of pressing the keycloak button that leads them to keycloak for login. It would be nice to have an iframe or something to just login using keycloak from the solarwinds login page.

Level 12

@mesverrum have you tinkered with this. I just got a call from our CISO and am going to be working on that today. Just wanted to see if you had taken a stab at it?

Thanks,

Bryan

Level 12

@tony.johnson I saw you posted about changing the image on the page. Any suggestions for how to remove the username/password fields? Our CISO is pretty adamant about getting this removed this week.

Thanks,

Bryan

Product Manager
Product Manager

@bdufresne To edit the login.aspx file requires disabling the precompiled website and running the configuration wizard. See additional details here on how to do that here. https://support.solarwinds.com/SuccessCenter/s/article/Disable-pre-compiled-website-to-allow-optimiz...

Once done, the login.aspx file can then be edited as follows:

Changing line 78 from 

<div class="sw-login-dialog-container">

To

<div class="sw-login-dialog-container hidden">

 

Note these changes may be reverted during a future upgrade. I have not tested SAML authentication with the above method. If you could report your findings it would be greatly appreciated!

Level 12

Thanks @tony.johnson I'll give that a try and report back. The only thing I could think of that would be better would be configuring a redirect for the login.aspx straight to the SAML authentication page/function.

Level 12

@tony.johnson So we ended up making the change, but hiding the div container on line 78 hid the entire form, including the SAML SSO button. Instead, I worked with a co-worker and we took a look at the C# file for the login.aspx. He found the function for redirect and added the following lines as an else on line 473. 

			else 
			{
				if (string.IsNullOrEmpty(successfulLogout))
				{
					DoRedirect("/Orion/SamlInit.aspx");
				}
			}


This allows logout to loop back to the original Login.aspx and allow local login if SAML fails or a local account is required. It also doesn't remove any functionality, and upon click our Okta tile, entering the URL, or clicking a favorite will auto-redirect to the SamlInit for SSO auth.

Hopefully a future version of the Orion web site can implement something similar to this in the pre-compiled version. Hope this helps anyone else that is interested in auto-SAML auth.

Product Manager
Product Manager

@bdufresne Excellent outcome! Kudos to your co-worker. Keep in mind that these edits may be overwritten during future upgrades. I will track this as a Feature Request for any future interest.