Block login access to simpleSAMLphp GUI
1,770 views
Skip to first unread message
Shari Harper
Sep 6, 2013, 11:03:32 AM9/6/13
to simple...@googlegroups.com
We have set up simpleSAMLphp as SP to Sun OpenSSO IdP and have integrated simpleSAMLphp authentication within Drupal 7. Would like to now block access to the simpleSAMLphp web interface and only allow user authentication through the simpleSAMLphp authentication Drupal module. Was wondering if anyone else has had this requirement and successfully implemented? Any guidance on how best to do this would be greatly appreciated.
Peter Schober
Sep 6, 2013, 11:09:16 AM9/6/13
to simple...@googlegroups.com
* Shari Harper <sharily...@gmail.com> [2013-09-06 17:03]:
Did you try setting
'admin.protectindexpage' => true,
in the main config file? Or is that not sufficient for what you're
after?
-peter
'admin.protectindexpage' => true,
in the main config file? Or is that not sufficient for what you're
after?
-peter
Shari Harper
Sep 6, 2013, 12:29:30 PM9/6/13
to simple...@googlegroups.com, peter....@univie.ac.at
I apologize, didn't see that setting in the config file but that will work perfectly for what we needed. Thanks very much for taking the time to point me in the right direction.
Shari Harper
Sep 9, 2013, 1:38:18 PM9/9/13
to simple...@googlegroups.com, peter....@univie.ac.at
Actually we do need to be able to block access entirely to the simpleSAML php web interface via firewall protection if possible. This will be sitting in the public internet and we don't want hackers to be able to attempt access at all so need to restrict by IP range. Is there a way you could recommend to best accomplish this?
Thanks!
On Friday, September 6, 2013 10:09:16 AM UTC-5, Peter Schober wrote:
Peter Schober
Sep 9, 2013, 6:41:41 PM9/9/13
to simple...@googlegroups.com
* Shari Harper <sharily...@gmail.com> [2013-09-09 19:38]:
While you can always configure the webserver to deny access to exactly
those parts of the site (Apache httpd LocationMatch directive) maybe
IP address checking isn't suitable for such requirements at all.
Consider removing the underlying template code from the system (and
no, I don't have a list for you, you'd look at that yourself).
Longer term you should probably file an issue with the bug tracker to
make the admin pages into a module that can be disabled easily, like
the other modules.
-peter
> Actually we do need to be able to block access entirely to the simpleSAML
> php web interface via firewall protection if possible. This will be
> sitting in the public internet and we don't want hackers to be able to
> attempt access at all so need to restrict by IP range. Is there a way you
> could recommend to best accomplish this?
Setting it to a very large random-ish string should do, I would think.
> php web interface via firewall protection if possible. This will be
> sitting in the public internet and we don't want hackers to be able to
> attempt access at all so need to restrict by IP range. Is there a way you
> could recommend to best accomplish this?
While you can always configure the webserver to deny access to exactly
those parts of the site (Apache httpd LocationMatch directive) maybe
IP address checking isn't suitable for such requirements at all.
Consider removing the underlying template code from the system (and
no, I don't have a list for you, you'd look at that yourself).
Longer term you should probably file an issue with the bug tracker to
make the admin pages into a module that can be disabled easily, like
the other modules.
-peter
Björn Krellner
Sep 10, 2013, 2:01:30 AM9/10/13
to simple...@googlegroups.com
Hello,
Shari Harper schrieb am Montag, 9. September 2013, um 19:38 Uhr:
> Actually we do need to be able to block access entirely to the simpleSAML
> php web interface via firewall protection if possible. This will be
> sitting in the public internet and we don't want hackers to be able to
> attempt access at all so need to restrict by IP range. Is there a way you
> could recommend to best accomplish this?
For this to protect, I have implemented a minimum authentication module
that just forbids login. If web interface is needed, one can just
change the authentication source and the admin password is immediatelly
allowed.
The tiny code sources are attached. Hope that fits your use cases, too.
Regards
Bjï¿œrn
Shari Harper schrieb am Montag, 9. September 2013, um 19:38 Uhr:
> Actually we do need to be able to block access entirely to the simpleSAML
> php web interface via firewall protection if possible. This will be
> sitting in the public internet and we don't want hackers to be able to
> attempt access at all so need to restrict by IP range. Is there a way you
> could recommend to best accomplish this?
that just forbids login. If web interface is needed, one can just
change the authentication source and the admin password is immediatelly
allowed.
The tiny code sources are attached. Hope that fits your use cases, too.
Regards
Bjï¿œrn
Shari Harper
Sep 11, 2013, 2:39:51 PM9/11/13
to simple...@googlegroups.com, bjoern....@hrz.tu-chemnitz.de
Thanks so much for your help, we'll give this a go!
Reply all
Reply to author
Forward
0 new messages