How to prevent the SMPORTALURL to be modified to an undesired site ?

Document ID : KB000015296
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

I'd like to validate the value of SMPORTALURL before the browser getting redirected to it. This is to prevent the request to be directed to a undesired site. How I can do it?

 

Answer:

  You can implement ACO parameter SecureURLs to make the SMPORTALURL not modificable. You can also take a look to a specific functionality to encrypt only the value of SMPORTALURL.

 

  There's a functionality to avoid the modification or the addition of an undesired value for that Parameter. You can encrypt the value of the SMPORTALURL. From documentation : 

 

  Specify if the single sign-on service must encrypt only the SMPORTALURL query parameter in Use Secure Authentication URL.

 

  An encrypted SMPORTALURL prevents a malicious user from modifying the

  value and redirecting authenticated users to a malicious website. The

  SMPORTALURL is appended to the Authentication URL before the browser

  redirects the user to establish a session. After the user is

  authenticated, the browser directs the user back to the destination

  specified in the SMPORTALURL query parameter.

 

  If you select this option, complete the following steps:

 

  Set the Authentication URL field to the following URL: 

 

  https://idp_server:port/affwebservices/secure/secureredirect 

 

  R12.7 Documentation

 

  This feature is available on Federation 12.7, and it's also available in Federation 12.52SP1CR06:

 

  00355124 00454067 DE159107 DE198549 SMPORTALURL query value can be

  manipulated as it does not get encrypted while redirecting to

  redirect.jsp

 

  Defects fixed in R12.52 SP1 CR06