Locking down an IdP
36 views
Skip to first unread message
Jeremy Hutchings
May 17, 2013, 6:26:24 PM5/17/13
to simple...@googlegroups.com
Hi all,
Testing is going well, and looking to open up our SP to some more testing, though is there a way of locking down the IdP.
As currently when going to login.example.com it redirects to http://login.example.com/auth/module.php/core/authenticate.php page for a user to select an auth source, Which they can use and get the Demo Example page.
I've turned of all the debug in the config etc, though can't seem to effect this page.
Any ideas ?
Cheers
Jeremy
Testing is going well, and looking to open up our SP to some more testing, though is there a way of locking down the IdP.
As currently when going to login.example.com it redirects to http://login.example.com/auth/module.php/core/authenticate.php page for a user to select an auth source, Which they can use and get the Demo Example page.
I've turned of all the debug in the config etc, though can't seem to effect this page.
Any ideas ?
Cheers
Jeremy
Daniel Tsosie
May 18, 2013, 3:18:07 AM5/18/13
to simple...@googlegroups.com
Good call on this. This is definitely a security issue as core is always enabled by default.
The quick and dirty fix is to chmod a-xrw simplesamlphp/modules/core/www/authenticate.php
If you don't use test authenticate or use the authorize module or any 3rd party modules that not in the standard distribution.
If you have a theme other than the default you can also do:
touch simplesamlphp/modules/[module_name]/themes/[theme_name]/core/authsource_list.tpl.php
I am open to suggestions on fixes.
I think at the very least that page should be protected with admin.protectindexpage.
Does that seem like a good idea?
-Dan Tsosie
The quick and dirty fix is to chmod a-xrw simplesamlphp/modules/core/www/authenticate.php
If you don't use test authenticate or use the authorize module or any 3rd party modules that not in the standard distribution.
If you have a theme other than the default you can also do:
touch simplesamlphp/modules/[module_name]/themes/[theme_name]/core/authsource_list.tpl.php
I am open to suggestions on fixes.
I think at the very least that page should be protected with admin.protectindexpage.
Does that seem like a good idea?
-Dan Tsosie
Jeremy Hutchings
May 19, 2013, 5:01:51 PM5/19/13
to simple...@googlegroups.com
I suppose attempting to secure the IdP via theme is one approach, though being able to disable anything other than incoming requests seems a better idea, opposed to it displaying all the example and demo information by default.
I was hunting for some kind of production flag in the config. I'm thinking I'll have to add some kind of PHP constant to the config and use that though out the scripts to stop them responding or interacting when in production.--
You received this message because you are subscribed to a topic in the Google Groups "simpleSAMLphp" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/simplesamlphp/fWdsmKiKeMo/unsubscribe?hl=en.
To unsubscribe from this group and all its topics, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
--
_________________________
Cheers
Jeremy Hutchings
Peter Schober
May 21, 2013, 4:58:13 PM5/21/13
to simple...@googlegroups.com
* Jeremy Hutchings <em...@jeremyhutchings.com> [2013-05-19 23:02]:
things are enabled by a default install and which you feel might
constitute security issues (esp if they are not sufficiently dealt
with by setting an admin account and password) someone might be able
to do something about it.
-peter
> I suppose attempting to secure the IdP via theme is one approach,
> though being able to disable anything other than incoming requests
> seems a better idea, opposed to it displaying all the example and
> demo information by default.
If you submit an issue detailing exactly which "example" and "demo"
> though being able to disable anything other than incoming requests
> seems a better idea, opposed to it displaying all the example and
> demo information by default.
things are enabled by a default install and which you feel might
constitute security issues (esp if they are not sufficiently dealt
with by setting an admin account and password) someone might be able
to do something about it.
-peter
Reply all
Reply to author
Forward
0 new messages