How do I configure a list of valid goto URL domains in OpenAM 11.0.0, 11.0.1 and 11.0.2?
The purpose of this article is to provide information on configuring a list of valid goto URL domains to which users can be redirected after authentication in OpenAM 11.0.0, 11.0.1 and 11.0.2. This is good practice to increase security against possible phishing attacks through open redirect. When you specify a URL domain list, the domain of the URL stated in the goto or gotoOnFail parameter must exist on the URL domain list for the user to be redirected. If you do not specify a URL domain list, all domains included in URLs specified in the goto or gotoOnFail parameter are considered valid.
Archived
This article has been archived and is no longer maintained by ForgeRock.
Configuring a list of valid goto URL domains (global)
You can configure this URL domain list using either the OpenAM console or ssoadm:
- OpenAM console: navigate to: Configuration > Authentication > Core > Security > Valid goto URL domains and add the valid goto domains.
- ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s iPlanetAMAuthService -t organization -u [adminID] -f [passwordfile] -a iplanet-am-auth-valid-goto-domains=[domain] replacing [adminID], [passwordfile] and [domain] with appropriate values.
You can add as many domains as required by adding multiple iplanet-am-auth-valid-goto-domains properties separated by a space with the domain in quotes. For example:
$ ./ssoadm set-attr-defs -s iPlanetAMAuthService -t organization -u amadmin -f pwd.txt -a iplanet-am-auth-valid-goto-domains="http://website.example.com/*" iplanet-am-auth-valid-goto-domains="http://website.example.com/*?*"See OpenAM Administration Guide › Defining Authentication Services › Configuring Valid goto URL Resources for examples of URL pattern matching to help you populate your URL resource list.
Note
You must restart the web application container in which OpenAM runs to apply these configuration changes.
Configuring a list of valid goto URL domains (realm)
Note
Realm level URL domain lists take precedence over the global level URL domain lists if both are specified and the user is logged into the realm.
You can configure the URL domain list for a realm using either the OpenAM console or ssoadm:
- OpenAM console: navigate to: Access Control > [Realm Name] > Authentication > All Core Settings > Valid goto URL domains and add the valid goto domains.
- ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s iPlanetAMAuthService -e [realmname] -u [adminID] -f [passwordfile] -a iplanet-am-auth-valid-goto-domains=[domain] replacing [realmname], [adminID], [passwordfile] and [domain] with appropriate values.
You can add as many domains as required by adding multiple iplanet-am-auth-valid-goto-domains properties separated by a space with the domain in quotes. For example:
$ ./ssoadm set-realm-svc-attrs -s iPlanetAMAuthService -e / -u amadmin -f pwd.txt -a iplanet-am-auth-valid-goto-domains="http://website.example.com/*" iplanet-am-auth-valid-goto-domains="http://website.example.com/*?*"See OpenAM Administration Guide › Defining Authentication Services › Configuring Valid goto URL Resources for examples of URL pattern matching to help you populate your URL resource list.
Note
You must restart the web application container in which OpenAM runs to apply these configuration changes.
See Also
How do I configure a list of valid goto URL resources in AM 6.0.x, 6.5.0.x, 6.5.1 and 6.5.2.x?
OpenAM Administration Guide › Securing OpenAM › Avoiding Obvious Defaults
Related Training
N/A
Related Issue Tracker IDs
N/A