Setting iplanet-am-auth-valid-goto-domains in OpenAM13

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Setting iplanet-am-auth-valid-goto-domains in OpenAM13

Alberto Treviño

I want to limit the domains that OpenAM will redirect to with the ?goto= parameter. I know I've seen it somewhere, and I keep finding information about the iplanet-am-auth-valid-goto-domains setting via ssoadm.


Is there a place in the UI for this setting or can it only be set via ssoadm? Also, how do I set multiple domains?


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Setting iplanet-am-auth-valid-goto-domains in OpenAM13

Christian Viola
Hi Alberto,

You can set the goto resource domains via ssoadm (not sure about the UI though) like this:
ssoadm add-svc-attrs -u <adminuser> -f <path-to-password>  -e <realm> -s validationService -a openam-auth-valid-goto-resources=https://*.example.com:*/*?*
ssoadm add-svc-attrs -u <adminuser> -f <path-to-password>  -e <realm> -s validationService -a openam-auth-valid-goto-resources=https://*.example.com:*/*
ssoadm add-svc-attrs -u <adminuser> -f <path-to-password>  -e <realm> -s validationService -a openam-auth-valid-goto-resources=https://www.example.com
...

You could also chain them up or run them in batch mode.

Be careful with wildcards since they allow for potential open-redirects.

Best
/Chris

IAM Engineer | Zalando SE

On 22 June 2016 at 22:35, Alberto Treviño <[hidden email]> wrote:

I want to limit the domains that OpenAM will redirect to with the ?goto= parameter. I know I've seen it somewhere, and I keep finding information about the iplanet-am-auth-valid-goto-domains setting via ssoadm.


Is there a place in the UI for this setting or can it only be set via ssoadm? Also, how do I set multiple domains?


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam
Reply | Threaded
Open this post in threaded view
|

Re: Setting iplanet-am-auth-valid-goto-domains in OpenAM13

Alberto Treviño

Thanks, Christian for the response. I'll be a bit verbose as to what I did for the benefit of others.


I tried your ssoadm commands and it failed. The error was something like validationService not added to realm. That, of course, pointed me in the right direction for the UI.


From the OpenAM console, go to Realms > (your realm) > Services. Click on Add and add a new Validation Service. It will then provide you with a method to add the URL patterns to a list and save the values.


Thanks so much for your help.


From: [hidden email] <[hidden email]> on behalf of Christian Viola <[hidden email]>
Sent: Thursday, June 23, 2016 12:45:59 AM
To: Users
Subject: Re: [OpenAM] Setting iplanet-am-auth-valid-goto-domains in OpenAM13
 
Hi Alberto,

You can set the goto resource domains via ssoadm (not sure about the UI though) like this:
ssoadm add-svc-attrs -u <adminuser> -f <path-to-password>  -e <realm> -s validationService -a openam-auth-valid-goto-resources=https://*.example.com:*/*?*
ssoadm add-svc-attrs -u <adminuser> -f <path-to-password>  -e <realm> -s validationService -a openam-auth-valid-goto-resources=https://*.example.com:*/*
ssoadm add-svc-attrs -u <adminuser> -f <path-to-password>  -e <realm> -s validationService -a openam-auth-valid-goto-resources=https://www.example.com
...

You could also chain them up or run them in batch mode.

Be careful with wildcards since they allow for potential open-redirects.

Best
/Chris

IAM Engineer | Zalando SE

On 22 June 2016 at 22:35, Alberto Treviño <[hidden email]> wrote:

I want to limit the domains that OpenAM will redirect to with the ?goto= parameter. I know I've seen it somewhere, and I keep finding information about the iplanet-am-auth-valid-goto-domains setting via ssoadm.


Is there a place in the UI for this setting or can it only be set via ssoadm? Also, how do I set multiple domains?


_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam



_______________________________________________
Visit the OpenAM forum at https://forgerock.org/forum/fr-projects/openam/
OpenAM mailing list
[hidden email]
https://lists.forgerock.org/mailman/listinfo/openam