VIP Authentication Hub - Steps to reuse the custom sign app for the admin console login
search cancel

VIP Authentication Hub - Steps to reuse the custom sign app for the admin console login


Article ID: 259441


Updated On:


VIP Authentication Hub


The standard login pages of the VIP authentication hub are used by the admin console.

Audit discovers that those pages do not contain standard banners and links to policies. To the best of our knowledge we can customize the logo and the name, but no way to put other texts.

Legacy requires to include warnings and policies. Without this, anyone who breaks into the site, cannot be legally prosecuted.

We need one of:

  • Ability to customize the standard login page by adding banners and links. If we can add HTML, that would be perfect.
  • Ability to login to the console via our login application. It already includes everything.



Release : Oct.05

VIP Auth Hub Admin Console


A custom signin app can be associated with the Admin Console.  Once the Admin Console starts up, it will request authentication from AuthHub's AZ service, which will redirect to a signin page as configured for the "AdminConsole" App residing in the "system" tenant.  By default, that "AdminConsole" app's "flowURL" property is blank, which forces AuthHub's own signin app to come up and being the signin ceremony. However, if that app's "flowURL" property is updated to point to your own custom signin URL, then the flow will redirect there.

Two approaches provided - Direct SQL and http API using AH Postman Collection.

Direct SQL

  • Use iamauth;   (or whatever the AH schema is)
  • UPDATE T_APPLICATION SET FLOW_URL = "<your-custom-signin-url>" WHERE TENANT_ID = "<system-tenant-id-from-step-b>" AND CLIENT_NAME = "AdminConsole";

To reset to as-is state, just execute step b with flow url of null

Using Postman API.  If unable to use Postman, any similar tool can be used to execute same steps.   

Perform the following steps using "System Admin Operations" Postman AuthHub API collection:

  • Execute System Admin Operations --> Acquire Access Token -->  Acquire Access Token for System Client
  • Execute System Admin Operations --> Misc Operations --> Get All Apps
  • Response will have 5-6 app, look for the app named "AdminConsole". Make a note of its "appId" as this app will need to be patched to add "flowURL" property
  • Duplicate "Get Apps" API, call it "PATCH App"
  • Update this "Patch App" API to have the following:

- action GET

- api path  https://{{sspMgmtHost}}/system/admin/v1/Apps/<replace-by-appId-from-step3> !!!!!! Make sure this guid corresponds to "AdminConsole" app  !!!!!!

- body as below...  *** update last property "flowURL" to have your custom signin's URL ***

"status": "active",
"name": "AdminConsole",
"description": "Client for Tenant Admin Console UI",
"clientType": "CONFIDENTIAL",
"allowedOpenIDScopes": null,
"redirectURIs": [
"allowedGrantTypes": [
"deviceCodeFlowURL": null,
"userInfoEndpointResponseFormat": null,
"skipIssuerAudienceForIT": false,
"skipEmailForIT": false,
"zeroFootPrint": false,
"softMFAEnabled": false,
"delegatedAuthentication": false,
"autoPostToFlowURL": false,
"userTokenSubAttributeMappingName": null,
"supportedJoseHeaderParams": null,
"claims": [],
"allowedOperations": [
"secondaryAudiences": null,
"assertionVerificationCertAlias": null,
"appIcon": null,
"secret": "d7d023a6-7d38-4a38-b59e-a9af454707a8",
"clientId": "9e005add-3ad7-432b-a18f-cb4802812dc1",
"itEncryptionTarget": null,
"itEncryptionCertAlias": null,
"userInfoEncryptionCertAlias": null,
"samlEntityId": null,
"samlAcsUrl": null,
"samlEnableSingleLogout": false,
"samlNameIdFormat": null,
"samlVerifyRequestSignature": false,
"samlVerifyCertAlias": null,
"samlEncryptSamlResponse": false,
"samlEncryptCertAlias": null,
"samlIdpInitiatedRelaystateMapping": {},
"skewTimeSecs": 0,
"passwordAuthoritativeSource": "remote",
"mitmProtectionLevel": null,
"idStoreToUse": null,
"flowURL":"<replace by your custom signin URL>"
  • Save the updated "PATCH App" API
  • Execute PATCH APP API...note the API executes using <systemClientAccessToken>
  • Do another Get Apps, observe that AdminConsole got updated
  • To reset, repeat step 5 with "flowURL" : null