+27
Under Review

Remove "Login" field after SAML integration.

adam ellington 6 years ago updated by Asher O 2 months ago 25 2 duplicates

Have the option to only allow authentication through SAML once it's integrated.

Duplicates 2

Would like to second this.  We want our page to redirect to our own authentication page that handles authentication and multifactor, before letting them log in to ScreenConnect.   Having the ability to turn this feature on/off from WebConfig Options would be great.

+1

I agree, now that we have SAML working I don't understand why the username, password and login buttons are active.



+1

We allow some of our clients with internal IT to use our ScreenConnect instance. If I link their Azure AD and put the Display Name as them, then it leaks who my clients are to the public. The only alternative is to give them generic names, but then I have to tell my various clients to use the second button, or the third one.


I would really like it if the logon page could match the domain of the user with a given external provider instead of listing the various external providers to the public.


We could simple add a field to the SAML configuration that is the domain name and then it can auto switch.

Wondering if there's any movement on this.  We'd like to activate SAML auth, pairing it with our AD accounts.  But, we don't want them to also be able to log in with their AD accounts.  With this "dual" login option, seems like we're offering them a workaround for the MFA we're imposing.  I see it was under review 3 months ago.  Any progress on that review?  Thanks!  Patrick

Another vote for this please :) obviously with a backup URL so if SAML fails we can still get in using an dedicated admin account with a secondary method. SecretServer has a great implementation for this if anyone needs  some inspiration.

Yeah this would definitely be a good feature.  Even at least removing the Forgot Password? option as this wouldn't be service by Control at all.

For those who want to hide the Forgot Password? link, simply go to Admin > Appearance and edit the LoginPanel.ForgotPasswordLinkButtonText field and ensure that it is empty (no value).

Hope that helps.

I found that the best option is to set LoginPanel.ForgotPasswordLinkVisible to false because that will disable the link entirely rather than just removing the text.

We would also like to get directly logged in via our SSO Portal, there should be an attribute - RequestInitiator Biding in SAML for this?

Any update regarding this subject?

I'd love to see a mapping of the domain name to OAUTH user source in Control -- so these 5 domains go to this OAUTH client.. and anything else goes to the local source for example.  

When a user enters their email address Control would know where to send them for login the same way Microsoft does when you enter a domain that is using federated auth.

We would also like to see this feature. We only use SSO, so the login page is redundant. It would be best if the user clicks login and are just signed in with SSO.

Has there been an Movement on this wanting to get rid of the local login 

+2

I would like to second this. When using certain browsers with SSO (Azure AD in our case) if you go back to the login screen it auto populates your SSO string in the user name field and this can cause consistent sign in issues with non-tech savvy people. For example if your company uses this tool for IT personal and also for secure remote connection for maintenance staff to access the computer running HVAC control software. The Maintenance staff won't realize how to get around this and sign in with a different user. This is consistently generating some tickets for our Helpdesk. 

Yes please!... we have no users with passwords, please let us remove the option and in turn remove the clicks...

Yes, please have an option disable or at least hide the local account logon fields for customers that use SSO. Also, consider updating the word "Login" to "Sign in" which is the more modern and accurate term these days.

If you're really desperate to remove the L/P prompt, you should be able to comment out the part of login.aspx that displays it.  Should be lines 84-92 or thereabouts depending on your version.

Starting at: "$form({ _commandName: 'SubmitLogin' }, ["

Ending at:  "])," that's indented to the same level.

There would still be a landing page where you would have to click the SSO button though, right?   More ideal is an option to set SSO only so you're auto signed in without the SignIn landing page.

SSO has to be initiated somewhere.  Normally that would be done from an SSO portal/landing page with all your apps on it.  Clicking on the Screenconnect link would take you directly to being logged in without using the login page at all.  I've tested that, it does work.  The larger issue with options on the login page is user confusion, or on the flip side if you have multiple external providers, leaking information about your clients and what login options are available.  I've changed my login page to remove those, as opposed to removing the L/P.