Older versionVersion 2.8SolutionsHow to whitelist allowed nextTargetURL in PhenixID Server

How to whitelist allowed nextTargetURL in PhenixID Server

This document describes how to define allowed nextTargetURL's in PhenixID Server.

The reader of this document should have some basic knowledge about PhenixID Server.

System requirements

  • PhenixID Server installed.

Overview

To prevent URL redirection to untrusted sites, PhenixID Server should be configured to only allow specific URL's.
So the system will verify target URL against a list of approved sites/domains.
As seen in the example below, this parameter is set using regular expression.
Default value is ".*".

To prevent URL redirection to untrusted sites, PhenixID Server will check the target URL and verify it against a list of approved sites/domains:

  • Own server domain(s)
  • List of manually added domains

This document will describe  how to prevent all "logoff_uri" except those configured as valid targets.

We will make changes to the configuration files boot.json and phenix-store.json, so please make sure to have a backup  of this file.

Instruction

The parameter used to set the allowed nextTargetURL's is:
"allowedLogoutTarget"
This parameter is configured in boot.json on the authenticator used, like this example:

{
  "name": "com.phenixidentity~auth-http",
  "enabled": "true",
  "config": {
   "ssl": "true",
   "port": "8443",
   "allowedLogoutTarget": ".*\\.site1\\.se\\/.*|.*\\.site2\\.se\\/.*",
   "root_uri": "/config"
   }
 }

NOTE:
The regex used in this example will require a name using something before .site.se. Such as www.site1.se, since we use ".*\\." before site1/site2. At the end of the target, we add "\\/.*", meaning that we need to end the URL with a "/". This is done to protect redirect to shouldnotbeused.site1.se or site1.se.shouldnotbeused.com.

Since the change is made in boot.json, a restart of the service is needed for the change to take affect.

We can then add allowed targets to the module used for the application, like these example:

{
		"name": "com.phenixidentity~phenix-prism",
		"enabled": "true",
		"config": {
			"base_url": "/selfservice",
			"logoff_uri": "http://www.site1.se/",
			"auth_redirect_url": "/selfservice/authenticate/0b0f59f9-c561-4926-836a-d7c6bad3c068",
			"http_configuration_ref": "05df53b8-402f-4002-926c-7bad33ae8847",
			"module_refs": "3faadfd5-6260-47ea-9afa-6a42900a0633",
			"enable_roles": "true"
		},
		"id": "f25f9dc2-357e-4d0f-9ef0-7460394482b2"
	}
	{
		"name": "com.phenixidentity~phenix-prism",
		"enabled": "true",
		"config": {
			"base_url": "/mfaadmin",
			"logoff_uri": "http://www.site2.se",			"auth_redirect_url": "/mfaadmin/authenticate/e95b6db4-2e16-4ecc-856f-d619684c42c8",
			"http_configuration_ref": "4aa1b5fd-07e4-4e56-beaf-d18301edc160",
			"module_refs": "e9cdc123-edca-4a90-a785-a263fc89e933,69925bf9-cbfd-4169-9691-3b0cd9615a64",
			"enable_roles": "true"
		},
		"id": "d62fef49-c129-46d0-bec2-4009dc516059"
	}