URL redirection, which many applications and services require, inherently brings in security risks. While redirecting, the request can be tampered to redirect users to an external, malicious site. To prevent such issues, you can configure a list of permissible URLs in OSP configuration. This restricts redirection only to the configured URLs. For example, when an authentication request is not targeted to the OSP’s whitelisted URLs, OSP rejects the request.
You can control which URLs the identity applications can redirect to post logout. This behavior is controlled by com.novell.pwdmgmt.login.PREF_LOGOUT_WHITELIST entry in the ism-configuration.properties file. To allow identity applications to redirect to a URL after logout, add that URL or a regular expression matching that URL to this entry in one of the following formats:
https://google.com
or
https://www\\.((google)\|(wikipedia))\\.com
The whitelist feature is turned on by default. You can manually configure the whitelist entries or disable the whitelist by modifying certain settings in the ism-configuration.properties file.
To disable the whitelist, add the following property to the ism-configuration.properties file:
com.netiq.idm.osp.target-white-list.enabled = false
To configure the whitelist manually, add the following property to the ism-configuration.properties file:
com.netiq.idm.osp.target-white-list.mode = manual
You can add one or both of the following properties:
com.netiq.idm.osp.target-white-list.uris = <space-separated-list-of-urls>
com.netiq.idm.osp.target-white-list.uri-patterns = <space-separated-list-of-url-regex>
For example:
com.netiq.idm.osp.target-white-list.uris = https://www.google.com/ http://bing.com
com.netiq.idm.osp.target-white-list.uri-patterns = \\Qhttps\\E://.*\\Q.provo.novell.com\\E \\Qhttps\\E://.*\\Q.microfocus.com\\E
To add to the automatically configured whitelist, include com.netiq.idm.osp.target-white-list.uris or com.netiq.idm.osp.target-white-list.uri-patterns or both properties and specify com.netiq.idm.osp.target-white-list.mode = mixed.