AA should have a well-thought out configuration option for explicitly designated AA Webserver role servers to turn off access to all portals (Admin/Helpdesk/reporting/etc) except for the Authenticators Management and OSP (SAML/OAuth), and of course whatever is needed to perform thick client (Win/Mac/Linux) authentication. Very often AA Webservers are installed in a DMZ so that authentication services face the Internet. But just because I want to enable my users to authenticate from anywhere or perform authenticator management, by no means does that mean I want any sort of administrative capability to face the Internet. That is supremely bad security practice, as your attack surface is unnecessarily increased. I’d caution against forcing this option to globally apply to all AA Webservers even in the same AA Site, as you may want to allow other internally-located AA Webservers in that same AA Site that are not placed within a DMZ to indeed have those additional portal paths accessible, so that internal Helpdesk and other admins can work as needed against those while on-prem. If you decide to just extend the existing IP Whitelisting feature that currently only applies for /admin but now to these other areas, then at least enhance that whitelisting service to also examine the HTTP Request “X-Forwarded-For” header, as the AA Webservers are almost always behind a load-balance which then NAT/obfuscate the real client Source IP from the AA server.

by: brian r. | over a year ago | Configuration