The standard login pages of the VIP authentication hub are used by the admin console.
Audit discovers that those pages do not contain standard banners and links to policies. To the best of our knowledge we can customize the logo and the name, but no way to put other texts.
Legacy requires to include warnings and policies. Without this, anyone who breaks into the site, cannot be legally prosecuted.
We need one of:
Release : Oct.05
VIP Auth Hub Admin Console
A custom signin app can be associated with the Admin Console. Once the Admin Console starts up, it will request authentication from AuthHub's AZ service, which will redirect to a signin page as configured for the "AdminConsole" App residing in the "system" tenant. By default, that "AdminConsole" app's "flowURL" property is blank, which forces AuthHub's own signin app to come up and being the signin ceremony. However, if that app's "flowURL" property is updated to point to your own custom signin URL, then the flow will redirect there.
Two approaches provided - Direct SQL and http API using AH Postman Collection.
Direct SQL
To reset to as-is state, just execute step b with flow url of null
Perform the following steps using "System Admin Operations" Postman AuthHub API collection:
- action GET
- api path https://{{sspMgmtHost}}/system/admin/v1/Apps/<replace-by-appId-from-step3> !!!!!! Make sure this guid corresponds to "AdminConsole" app !!!!!!
- body as below... *** update last property "flowURL" to have your custom signin's URL ***
{
"status": "active",
"name": "AdminConsole",
"description": "Client for Tenant Admin Console UI",
"clientType": "CONFIDENTIAL",
"allowedOpenIDScopes": null,
"redirectURIs": [
"https://%host%/%tenant%/ui/v1/adminconsole/"
],
"allowedGrantTypes": [
"authorization_code",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
],
"deviceCodeFlowURL": null,
"userInfoEndpointResponseFormat": null,
"skipIssuerAudienceForIT": false,
"skipEmailForIT": false,
"zeroFootPrint": false,
"softMFAEnabled": false,
"delegatedAuthentication": false,
"autoPostToFlowURL": false,
"userTokenSubAttributeMappingName": null,
"supportedJoseHeaderParams": null,
"claims": [],
"allowedOperations": [
"onbehalfof"
],
"secondaryAudiences": null,
"assertionVerificationCertAlias": null,
"appIcon": null,
"secret": "d7d023a6-7d38-4a38-b59e-a9af454707a8",
"clientId": "9e005add-3ad7-432b-a18f-cb4802812dc1",
"itEncryptionTarget": null,
"itEncryptionCertAlias": null,
"userInfoEncryptionCertAlias": null,
"samlEntityId": null,
"samlAcsUrl": null,
"samlEnableSingleLogout": false,
"samlNameIdFormat": null,
"samlVerifyRequestSignature": false,
"samlVerifyCertAlias": null,
"samlEncryptSamlResponse": false,
"samlEncryptCertAlias": null,
"samlIdpInitiatedRelaystateMapping": {},
"skewTimeSecs": 0,
"passwordAuthoritativeSource": "remote",
"mitmProtectionLevel": null,
"idStoreToUse": null,
"flowURL":"<replace by your custom signin URL>"
}