Product Documentation
Abstract
You can limit the set of target URLs to which a user can be redirected during a single sign-on flow or an authentication service flow. This feature is useful with SAML 2.0, OpenID Connect, and authentication service flows. By limiting the set of valid URLs, you can prevent an attacker from redirecting end-users to malicious URLs.
Content
Use the advanced configuration property sps.targetURLallowlist to list valid target URLs.
The value of this property is a set of comma-separated strings. Each string is a regular expression. The regular expression must not contain commas. Spaces between the strings are ignored. The default value is “.*”, which means that the appliance runtime accepts any target URL.
Example 1: Allow all URLs that start with https://
Use the following advanced configuration value. Note that there are no quotes:
Example 2: Limit target URLs to only those with one of a specified list of hostnames:
www.app.ibm.com, www.myidp.ibm.com, (http|https)://www.app.ibm.com/.*, (http|https)://www.myidp.ibm.com/.*
- For more information on how to specify advanced configuration properties, see https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.2.1/com.ibm.isam.doc/config/task/managingadvancedcfg_fed.html
- For SAML 2.0 SSO flows, you can specify a Target URL when configuring the initial URL in flows initiated by either the Identity Provider or the Service Provider. For more information, see https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.2.1/com.ibm.isam.doc/config/reference/profileinitialurls.html
- For Open ID Connect flows, you can specify a Target URL when configuring the initial URL for Relying Party initiated single sign-on. For more information, see https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.2.1/com.ibm.isam.doc/config/concept/con_oidc_rp_ini_endpoint.html
- In the authentication service, you can specify a Target URL when configuring the authentication service trigger URL. For more information, see https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.2.1/com.ibm.isam.doc/config/task/tsk_configwgauthservice.html
Was this topic helpful?
Document Information
More support for:
IBM Security Access Manager
Software version:
9.0.2.1
Operating system(s):
Appliance
Document number:
608139
Modified date:
17 June 2018
UID
swg27049226