We would like to force authentication for a specific whole domain, like edit.domain.com. Authentication would be required for anything on edit.domain.com, whether they go to regular pages or administrative pages. The edit.domain.com is currently set as the 'Edit Host'.
Additionally, if a normal visitor goes to the Primary Host www.domain.com , we do not want them to be forced to login to public facing resources like regular pages. Of course, we'd have the typical authentication behavior for any administrative pages they access at www.domain.com.
Some additional information, we've setup SSO with OpenID.
Any suggestions on how to achieve that behavior?
First the important question - is your edit.domain.com a separate editing server so that you could have a different web.config for it VS the "browsing" servers? If yes, then you could create a web.config transform for the editing server to not allow anonymous users but only allow authenticated users with certain roles.
So like this:
<!-- in web.config root -->
<!-- other stuff snipped away -->
<remove users="*" roles="" verbs=""/>
<add accessType="Allow" users="" roles="WebAdmins,WebEditors"/>
<!-- Note! if you are using Epis /util/login.aspx or anything else on the site -->
<!-- You need to allow access to the login page in the location element -->
<!-- snipped away -->
<!-- snipped away -->
<remove roles="" users="*" verbs=""/>
<add accessType="Allow" users="*" roles="*" verbs=""/>
See MSDN IIS documentation: https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authorization/
But the above will not naturally work if you just have a single web server that has both the edit and browsing (you have the www and edit domains configured for single IIS application).
Then you would need to create some own authorization module that checks the host and if the user is not authenticated and not in required roles you would redirect them to the browsing site or something like that.
Both domains are hosted under the same server. We'll look into adjusting our authorization code, wanted to check if there was a different way before we did so.
I suppose when you say "under the same server" you mean in the same IIS application and that is why you can't use a separate web.config for edit site?
It is hosted in the Episerver DXP environment. The domains www.domain.com and edit.domain com would be hostnames pointed at the same Azure App Service instance.
Ok, wanted to have clarification and that is clear now ;)
But now you mention DXP, so one thing you could do is use IIS rewrite module to block access to the edit-host using IP-addresses if that is possible for you (yep, it doesn't mean the "user" is authorized). See DXP https://world.episerver.com/documentation/developer-guides/digital-experience-platform/dxc-security/restricting-environment-access/
One thing you could do is contact DXP support is there something they could do / help you with your subscription and having a separate edit-host app service...