How to whitelist allowed nextTargetURL in PAS
Overview
To prevent URL redirection to untrusted sites, PhenixID Server should be configured to only allow specific URL's.
So the system will verify target URL against a list of approved sites/domains.
As seen in the example below, this parameter is set using regular expression.
(SAML and OpenID Connects redirects (to external IdP/SP/RP/OP) are excluded from this list as those URLs are part of the trust.)
To prevent URL redirection to untrusted sites, PhenixID Server will check the target URL and verify it against a list of approved sites/domains:
- Own server domain(s)
- List of manually added domains
This document will describe how to prevent all "logoff_uri" except those configured as valid targets.
Instruction
There are three different parameters that can be used in order to manage the allowed targets. These parameters are combined as ONE regular expression which will be used to validate the target.
The parameters are:
"allowedLogoutTargetPrefix" - The first part of the regex. Has to end with | in order to be combined with the next parameter.
"allowedLogoutTarget" - The default allowed target, maintained by PhenixID.
"allowedLogoutTargetSuffix" - The last part of the regex. Has to start with | in order to be combined with the previous parameter.
An example of configuration can be found below.
This parameter is configured in boot.json on the authenticator used, like this example:
{
"name": "com.phenixidentity~auth-http",
"enabled": "true",
"config": {
"ssl": "true",
"port": "8443",
"allowedLogoutTargetPrefix": ".*\\.site1\\.se\\/.*|.*\\.site2\\.se\\/.*|",
"root_uri": "/config"
}
}
**NOTE:
**The regex used in this example will require a name using something before .site.se. Such as www.site1.se, since we use ".\." before site1/site2. At the end of the target, we add "\/.", meaning that we need to end the URL with a "/". This is done to protect redirect to shouldnotbeused.site1.se or site1.se.shouldnotbeused.com.
Since the change is made in boot.json, a restart of the service is needed for the change to take affect.
We can then add allowed targets to the module used for the application, like these example:
{
"name": "com.phenixidentity~phenix-prism",
"enabled": "true",
"config": {
"base_url": "/selfservice",
"logoff_uri": "http://www.site1.se/",
"auth_redirect_url": "/selfservice/authenticate/0b0f59f9-c561-4926-836a-d7c6bad3c068",
"http_configuration_ref": "05df53b8-402f-4002-926c-7bad33ae8847",
"module_refs": "3faadfd5-6260-47ea-9afa-6a42900a0633",
"enable_roles": "true"
},
"id": "f25f9dc2-357e-4d0f-9ef0-7460394482b2"
}
{
"name": "com.phenixidentity~phenix-prism",
"enabled": "true",
"config": {
"base_url": "/mfaadmin",
"logoff_uri": "http://www.site2.se",
"auth_redirect_url": "/mfaadmin/authenticate/e95b6db4-2e16-4ecc-856f-d619684c42c8",
"http_configuration_ref": "4aa1b5fd-07e4-4e56-beaf-d18301edc160",
"module_refs": "e9cdc123-edca-4a90-a785-a263fc89e933,69925bf9-cbfd-4169-9691-3b0cd9615a64",
"enable_roles": "true"
},
"id": "d62fef49-c129-46d0-bec2-4009dc516059"
}
Allowing All Redirects (Not Recommended)
While it's technically possible to allow all redirects, this practice is strongly discouraged in production environments due to significant security risks.
Configuration to Allow All Redirects:
"allowedLogoutTarget": ".*"
Warning
Setting allowedLogoutTarget to .* permits redirection to any URL, which can expose your application to phishing attacks and other security vulnerabilities. Use this configuration only for testing purposes in a controlled environment.