IBM Support

How create a whitelist of Target URLs

Product Documentation


Abstract

You can limit the set of target URLs to which a user can be redirected during a single sign-on flow or an authentication service flow. This feature is useful with SAML 2.0, OpenID Connect, and authentication service flows. By limiting the set of valid URLs, you can prevent an attacker from redirecting end-users to malicious URLs.

Content

Use the advanced configuration property sps.targetURLallowlist to list valid target URLs.

The value of this property is a set of comma-separated strings. Each string is a regular expression. The regular expression must not contain commas. Spaces between the strings are ignored. The default value is “.*”, which means that the appliance runtime accepts any target URL.

Example 1: Allow all URLs that start with https://

Use the following advanced configuration value. Note that there are no quotes:

https://.*

Example 2: Limit target URLs to only those with one of a specified list of hostnames:

www.app.ibm.com, www.myidp.ibm.com, (http|https)://www.app.ibm.com/.*, (http|https)://www.myidp.ibm.com/.*

[{"Product":{"code":"SSZU8Q","label":"IBM Security Access Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Federation Module","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"9.0.2.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

More support for:
IBM Security Access Manager

Software version:
9.0.2.1

Operating system(s):
Appliance

Document number:
608139

Modified date:
17 June 2018

UID

swg27049226

Manage My Notification Subscriptions