Thanks @Alfredo Revilla - Upwork Top Talent | IAM SWE SWA . Its restricting unauthorised access to the private pages ok, even with that config setting and its allowing public access to pages with location\path config. I've managed to find a way to default the public login splash page. This page just contains branding and a link to the Azure login.
In the Startup class I added:
Public Sub StartAuth(app As IAppBuilder)
app.UseDefaultFiles(CreateDefaultFileOptions())
app.UseStaticFiles(CreateStaticFileOptions())
End Sub
Private Function CreateDefaultFileOptions() As DefaultFilesOptions
Dim options As New DefaultFilesOptions()
Dim physicalFileSystem = New PhysicalFileSystem("")
Dim defaultFileNames() As String = {defaultHiddenPage}
options.FileSystem = physicalFileSystem
options.DefaultFileNames = defaultFileNames
Return options
End Function
Private Function CreateStaticFileOptions() As StaticFileOptions
Dim options As New StaticFileOptions()
Dim physicalFileSystem = New PhysicalFileSystem("")
options.FileSystem = physicalFileSystem
options.OnPrepareResponse = AddressOf OnPrepareResponse
Return options
End Function
defaultHiddenPage is just a static html page with an onload redirect to the public login splash page.
The OnPrepareResponse handler is where it checks for the defaultHiddenPage and redirects to the public login splash page.
Private Function OnPrepareResponse(ByVal context As StaticFileResponseContext) As Task
Dim url As String = context.OwinContext.Request.Uri.OriginalString
System.Diagnostics.Debug.WriteLine("*** OnPrepareResponse: " & url)
If context.OwinContext.Request.Uri.LocalPath.Equals("/" & defaultHiddenPage) Then context.OwinContext.Response.Redirect(loginPage)
Return Task.FromResult(0)
End Function