[REQUEST COMPLETE] Disable Login when OIDC is enabled

[seamon67]

Now that Pangolin supports OIDC, it would be nice to be able to disable email+password login once everything is configured.

[oschwartz10612]

Thanks for the suggestion! I am going to move this to a discussion so it can be upvoted and prioritized for addition! We will probably tackle this soon!

[ddcguy]

This would be a great feature with the following additional things to note:

1. If you disable the platform SSO and have no other login options configured for the resource, Pangolin should automatically forward to the configured iDP.
2. Since it looks like multiple iDPs can be configured on Pangolin, each resource should have the ability to choose which iDP it will use, and which other authentication sources should be available.
3. I envision you basically have a bunch of toggle enable/disable on the authentication page which you choose which authentication sources are allowed on that resource, and then if you enable a particular one is where you would set options for it, if applicable.
4. If only the iDP is available, then you should have the option to 'auto-redirect to iDP login page'.

This is how Cloudflare handles it on their Access product:

[seamon67]

I reckon an ability add aditional server admins would be required for this.
I couldn't find a way to make a SSO account a server admin.

[miloschwartz]

Interesting idea- this might be possible technically but it's not how OIDC tends to work. Usually users are expected to be redirected to a login page controlled by the other party.

[seamon67]

Is there a technically possible and secure way to have Pangolin take the credentials for the ODIC provider, tunnel them to the provider and receive the authentication, all in the background? I ask because I like the Pangolin interface more, it's sleeker and no redirects at all.

What you want is Pangolin to act as the IdP and not pass credentials to a third party IdP which is completely unnecessary.

[zytoc]

I think what I want is an all-in-one solution at the edge so there aren't so many redirects. But I understand that might not be ideal as you would want your IDP internal and possibly independent of any service/app.

[seamon67]

I think what I want is an all-in-one solution at the edge so there aren't so many redirects.

So yea, Pangolin as IdP does that for you.

But I understand that might not be ideal as you would want your IDP internal and possibly independent of any service/app.

Yea...

[AchrafBardan]

My root user is trough oidc. Did it by deleting the admin user and reauthenticating.

[Gaarindor]

This would really be the slice of delicious cheese on top of the OIDC capability that was added.
My users keep entering Keycloak credentials into the Pangolin login and reporting they can't log in haha

[seamon67]

Lmao same but for Authentik

[seamon67]

Now that I think about it, a really straightforward implementation of this would be to have a Button that disables password login for Resources but not for the main Pangolin portal.

[zytoc]

This is now implemented in the latest version. It's all we need I think.

"When a default identity provider is selected, the user will be automatically redirected to the provider for authentication."

[seamon67]

It's been there for a while now. We use it for pretty much everything.

[etec-masterofsynapse]

This setting currently only exists for direct access, and not yet for the dashboard feature that was introduced in the newest version.

[seamon67]

This setting currently only exists for direct access, and not yet for the dashboard feature that was introduced in the newest version.

Where can I read more about this new dashboard feature?

[etec-masterofsynapse]

https://github.com/fosrl/pangolin/releases/tag/1.16.0

[JustJoostNL]

Would love to see this, but please make sure that we have the ability the link the internal admin account to a identity provider then.

[penalte]

you can if you edit the db and make your admin IDP user the owner and then login and delete the local owner acount. but yes we should have the option to disable password login form, i dont use it IDP only.