How To
Archived

How do I configure a list of valid goto URL domains in OpenAM 11.0.0, 11.0.1 and 11.0.2?

Last updated Jan 5, 2021

The purpose of this article is to provide information on configuring a list of valid goto URL domains to which users can be redirected after authentication in OpenAM 11.0.0, 11.0.1 and 11.0.2. This is good practice to increase security against possible phishing attacks through open redirect. When you specify a URL domain list, the domain of the URL stated in the goto or gotoOnFail parameter must exist on the URL domain list for the user to be redirected. If you do not specify a URL domain list, all domains included in URLs specified in the goto or gotoOnFail parameter are considered valid.


Archived

This article has been archived and is no longer maintained by ForgeRock.

Configuring a list of valid goto URL domains (global)

You can configure this URL domain list using either the OpenAM console or ssoadm:

  • OpenAM console: navigate to: Configuration > Authentication > Core > Security > Valid goto URL domains and add the valid goto domains.
  • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMAuthService -t organization -u [adminID] -f [passwordfile] -a iplanet-am-auth-valid-goto-domains=[domain] replacing [adminID], [passwordfile] and [domain] with appropriate values.

You can add as many domains as required by adding multiple iplanet-am-auth-valid-goto-domains properties separated by a space with the domain in quotes. For example:

$ ./ssoadm set-attr-defs -s iPlanetAMAuthService -t organization -u amadmin -f pwd.txt -a iplanet-am-auth-valid-goto-domains="http://website.example.com/*" iplanet-am-auth-valid-goto-domains="http://website.example.com/*?*"

See  OpenAM Administration Guide › Defining Authentication Services › Configuring Valid goto URL Resources for examples of URL pattern matching to help you populate your URL resource list.

Note

You must restart the web application container in which OpenAM runs to apply these configuration changes. 

Configuring a list of valid goto URL domains (realm)

Note

Realm level URL domain lists take precedence over the global level URL domain lists if both are specified and the user is logged into the realm.

You can configure the URL domain list for a realm using either the OpenAM console or ssoadm:

  • OpenAM console: navigate to: Access Control > [Realm Name] > Authentication > All Core Settings > Valid goto URL domains and add the valid goto domains.
  • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s iPlanetAMAuthService -e [realmname] -u [adminID] -f [passwordfile] -a iplanet-am-auth-valid-goto-domains=[domain] replacing [realmname], [adminID], [passwordfile] and [domain] with appropriate values.

You can add as many domains as required by adding multiple iplanet-am-auth-valid-goto-domains properties separated by a space with the domain in quotes. For example:

$ ./ssoadm set-realm-svc-attrs -s iPlanetAMAuthService -e / -u amadmin -f pwd.txt -a iplanet-am-auth-valid-goto-domains="http://website.example.com/*" iplanet-am-auth-valid-goto-domains="http://website.example.com/*?*"

See  OpenAM Administration Guide › Defining Authentication Services › Configuring Valid goto URL Resources for examples of URL pattern matching to help you populate your URL resource list.

Note

You must restart the web application container in which OpenAM runs to apply these configuration changes. 

See Also

How do I configure a list of valid goto URL resources in AM 5.x, 6.0.0.x, 6.5.0.x, 6.5.1 and 6.5.2.x?

OpenAM Administration Guide › Securing OpenAM › Avoiding Obvious Defaults

OpenAM Administration Guide › Defining Authentication Services › Configuring Valid goto URL Resources

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.