URL redirection, which many applications and services require, inherently brings in security risks. While redirecting, the request can be tampered to redirect users to an external, malicious site. To prevent such issues, you can configure a list of permissible domains. Redirection is allowed only to the configured domains.
Click Devices > Identity Servers > Edit > Identity Providers.
Under Redirection White List, click New.
Specify Domain.
You can specify a domain name with an asterisk wildcard character (*) that represents the entire DNS subtree. For example, specifying *.digitalairlines.com as a domain will allow redirection to all children domain under digitalairlines.com including digitalairlines.com. The WWW prefix is not required. You can specify the * wildcard only at the lowest level of the subtree.
For example: Valid domain name: *.digitalairlines.com
Invalid domain name: innerweb.*.comYou must configure at least one domain to prevent open redirection.
Liberty: The target parameter is filtered. If the requested target is not the white list, the Identity Server does not login.
WS-Fed: The wreply parameter is filtered. If the requested wreply is not in the white list, the Identity Server does not login. However, if wreply is same as the provider's single logout or single sign-on URL domain, the request is accepted.
SAML 2.0: For idpsend, the target parameter is filtered using this list. This list is not applicable for spsend.
Click Devices > Identity Servers > Edit > [Liberty, SAML1.1, or SAML 2.0] > [Service Provider] > Intersite Transfer Service.
In the Domain List, click New.
Specify the domain name.
The domain name must be a full domain name, such as www.digitalairlines.com. Wildcard domain names, such as www.digitalairlines.*.com, do not work.
When an authentication request from a service provider is not signed, Identity Server cannot validate the authenticity and integrity of the request. So, any intruder can intercept the request and change the Assertion Consumer Service URL in the request and make the Identity Server to send the assertion to malicious sites.
To secure and validate the authentication request from a service provider, you can use the following options in the service provider configuration of Identity Server:
SAML2_ACS_URL_RESTRICT: This option ensures that Identity Server must validate the Assertion Consumer Service URL in the request against the trusted metadata URL before sending the assertion. If the Assertion Consumer URL in the authentication request is tampered by any malicious user, Identity Server terminates the request and assertion is not sent.
SAML2_ACS_DOMAIN_WHITELIST: This option ensures that Identity Server must validate the Assertion Consumer URL in the request against a whitelist of domains. If the Assertion Consumer Service URL does not match with any of the domain URLs in the whitelist, Identity Server terminates the request.
You must define the SAML2_ACS_DOMAIN_WHITELIST along with SAML_ACS_URL_RESTRICT for a service provider in Identity Server. SAML2_ACS_DOMAIN_WHITELIST does not work if SAML_ACS_URL_RESTRICT is not enabled.
To define these options, perform the following steps:
Click Devices > Identity Servers > <Cluster> > Edit > SAML 2.0.
Select the required service provider
Click Options > New.
Select OTHER and specify the following properties:
|
Property Name |
Property Value |
Description |
|---|---|---|
|
SAML2_ACS_URL_RESTRICT |
True |
If true, Identity Server allows authentication only to the trusted ACS URLs. |
|
SAML2_ACS_DOMAIN_WHITELIST |
Domain names separated with semi-colon (;) |
Identity Server performs additional validation of the authentication request with the ACS domain whitelist. |