I’m using OpenAM V13.0 connected to multiple applications with OpenID.
When user is being redirected to OpenAM for login he served by the server which running the OpenAM so he exposed to the login page of the OpenAM too (configuration, management etc..)
How can i protect my OpenAM management site from outside access?
The best practice is to secure OpenAM behind the firewall (i.e. make it inaccessible to the public) and place a reverse proxy (i.e. Apache) or OpenIG in the DMZ. You can then limit which URLs are exposed at the proxy layer and enforce additional controls behind the firewall.