MySSC: improve simplesaml UX

[patheard]

• Currently users can get to the SimpleSAMLphp welcome and login pages. These should not be available.
• Errors also default to using the SimpleSAMLphp theme. They should have a MySSC themed error page.

[patheard]

Leaning towards a full lock down on this with following Apache conf:

<Location /simplesaml/module.php/core/loginuserpass.php >
  Deny from all
</Location>

Reasons being:

• Ansible only has access to the private IP.
• Nginx/Apache only see the public IP.
• SimpleSAML forces login to happen on its baseURL, which means you can't check for access directly to the varnish host names. This also prevents you from examining HTTP headers that are unique to the varnish host name access like HTTP_X_FORWARDED_FOR.

[patheard]

Another option to try. Lookup the jumpbox's public IP during the playbook run and then use that for the allow rule:

dig +short <JUMPBOX_HOSTNAME>

[patheard]

SimpleSAML admin pages are now locked down to only be accessible from the jumpbox.