How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I configure a list of valid goto URL resources in AM 5.x, 6.0.0.x, 6.5.0.x, 6.5.1 and 6.5.2.x?

Last updated Apr 13, 2021

The purpose of this article is to provide information on configuring a list of valid goto URL resources to which users can be redirected after authentication in AM. This is good practice to increase security against possible phishing attacks through open redirect. When you specify a URL resource list, the resource of the URL stated in the goto or gotoOnFail parameter must exist on the URL resource list for the user to be redirected. If you do not specify a URL resource list, all resources included in URLs specified in the goto or gotoOnFail parameter are considered valid.


4 readers recommend this article

AM 6.5.3 and later

Earlier versions of AM redirected the user to the URL specified in the goto and gotoOnFail query string parameters supplied to the authentication service (or SAML v2.0 entities) during login and logout. To harden security against phishing attacks, we recommended that you configure the Validation Service.

By default, AM 6.5.3 and later only redirects to the URLs specified in those query string parameters if the URLs are in the same domain as AM. To allow redirect URLs that are not in the same domain, you must configure the Validation Service.

See Authentication and Single Sign-On Guide › Configuring Success and Failure Redirection URLs for further information.

Configuring a list of valid goto URL resources (global)

You can configure this URL resource list using either the console or ssoadm:

  • Console: navigate to: Configure > Global Services > Validation Service and add the valid goto URL resources.
  • ssoadm: enter the following command: $ ./ssoadm set-attr-defs -s validationService -t organization -u [adminID] -f [passwordfile] -a openam-auth-valid-goto-resources=[resource]replacing [adminID], [passwordfile] and [resource] with appropriate values.

You can add as many resources as required by adding multiple openam-auth-valid-goto-resources properties separated by a space with the resource in quotes. For example:

  • AM 7 and later: $ ./ssoadm set-attr-defs -s validationService -t organization -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -a openam-auth-valid-goto-resources="http://website.example.com/*" openam-auth-valid-goto-resources="http://website.example.com/*?*"
  • Pre-AM 7: $ ./ssoadm set-attr-defs -s validationService -t organization -u amadmin -f pwd.txt -a openam-auth-valid-goto-resources="http://website.example.com/*" openam-auth-valid-goto-resources="http://website.example.com/*?*"

See Authentication and Single Sign-On Guide › Constraining Post-Login Redirects for examples of URL pattern matching to help you populate your URL resource list.

Configuring a list of valid goto URL resources (realm)

Realm level URL resource lists take precedence over the global level URL resource lists if both are specified and the user is logged into the realm.

Note

You may need to add the Validation Service if it is not listed under Services by clicking Add a Service or Add and then selecting Validation Service. If you are using ssoadm, you can replace set-realm-svc-attrs in the ssoadm command with add-svc-realm to add this service and set the attributes with the same command.

You can configure this URL resource list using either the console or ssoadm:

  • Console: navigate to: Realms > [Realm Name] > Services > Validation Service and add the valid goto URL resources.
  • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -s validationService -e [realmname] -u [adminID] -f [passwordfile] -a openam-auth-valid-goto-resources=[resource] replacing [realmname], [adminID], [passwordfile] and [resource] with appropriate values.

You can add as many resources as required by adding multiple openam-auth-valid-goto-resources properties separated by a space with the resource in quotes. For example:

  • AM 7 and later: $ ./ssoadm set-realm-svc-attrs -s validationService -e / -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -a openam-auth-valid-goto-resources="http://website.example.com/*" openam-auth-valid-goto-resources="http://website.example.com/*?*"
  • Pre-AM 7: $ ./ssoadm set-realm-svc-attrs -s validationService -e / -u amadmin -f pwd.txt -a openam-auth-valid-goto-resources="http://website.example.com/*" openam-auth-valid-goto-resources="http://website.example.com/*?*"

See Authentication and Single Sign-On Guide › Constraining Post-Login Redirects for examples of URL pattern matching to help you populate your URL resource list.

See Also

Installation Guide › Avoiding Obvious Defaults

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.