Forcing a login for specific Domains

Vote:
 

We would like to force authentication for a specific whole domain, like edit.domain.com.  Authentication would be required for anything on edit.domain.com, whether they go to regular pages or administrative pages. The edit.domain.com is currently set as the 'Edit Host'.

Additionally, if a normal visitor goes to the Primary Host  www.domain.com , we do not want them to be forced to login to public facing resources like regular pages.  Of course, we'd have the typical authentication behavior for any administrative pages they access at www.domain.com.  

Some additional information, we've setup SSO with OpenID.

Any suggestions on how to achieve that behavior?  

#230495
Nov 06, 2020 15:12
Vote:
 

Hi Brandon,

First the important question - is your edit.domain.com a separate editing server so that you could have a different web.config for it VS the "browsing" servers? If yes, then you could create a web.config transform for the editing server to not allow anonymous users but only allow authenticated users with certain roles.

So like this:

<!-- in web.config root -->
<system.webServer>
  <!-- other stuff snipped away -->
  <security>
    <authorization>
      <remove users="*" roles="" verbs=""/>
      <add accessType="Allow" users="" roles="WebAdmins,WebEditors"/>
    </authorization>
  </security>
</system.webServer>

<!-- Note! if you are using Epis /util/login.aspx or anything else on the site -->
<!-- You need to allow access to the login page in the location element -->

<location path="util">
  <!-- snipped away -->
  <system.webServer>
  <!-- snipped away -->
  <security>
    <authorization>
      <remove roles="" users="*" verbs=""/>
      <add accessType="Allow" users="*" roles="*" verbs=""/>
    </authorization>
  </security>
  </system.webServer>
</location>

See MSDN IIS documentation: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authorization/

But the above will not naturally work if you just have a single web server that has both the edit and browsing (you have the www and edit domains configured for single IIS application).

Then you would need to create some own authorization module that checks the host and if the user is not authenticated and not in required roles you would redirect them to the browsing site or something like that.

#230519
Nov 07, 2020 6:59
Antti Alasvuo - Nov 07, 2020 7:07
And if you did have separate servers for www and edit, then you would disable access to edit urls on the www site web.config. Refer to the old Episerver config instruction: https://world.episerver.com/documentation/Items/Developers-Guide/Episerver-CMS/9/Security/Securing-edit-and-admin-user-interfaces/
Vote:
 

Both domains are hosted under the same server.  We'll look into adjusting our authorization code, wanted to check if there was a different way before we did so.

#230521
Nov 07, 2020 13:38
Vote:
 

I suppose when you say "under the same server" you mean in the same IIS application and that is why you can't use a separate web.config for edit site?

#230522
Nov 07, 2020 16:27
Vote:
 

It is hosted in the Episerver DXP environment.  The domains www.domain.com and edit.domain com would be hostnames pointed at the same Azure App Service instance.

#230523
Nov 07, 2020 16:32
Vote:
 

Ok, wanted to have clarification and that is clear now ;)

But now you mention DXP, so one thing you could do is use IIS rewrite module to block access to the edit-host using IP-addresses if that is possible for you (yep, it doesn't mean the "user" is authorized). See DXP https://world.episerver.com/documentation/developer-guides/digital-experience-platform/dxc-security/restricting-environment-access/

One thing you could do is contact DXP support is there something they could do / help you with your subscription and having a separate edit-host app service...

#230524
Nov 07, 2020 17:02
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.