How to whitelist allowed nextTargetURL in PhenixID Server
This document describes how to define allowed nextTargetURL's in PhenixID Server.
The reader of this document should have some basic knowledge about PhenixID Server.
System requirements
- PhenixID Server installed.
Overview
To prevent URL redirection to untrusted sites, PhenixID Server should be configured to only allow specific URL's.
So the system will verify target URL against a list of approved sites/domains.
As seen in the example below, this parameter is set using regular expression.
(SAML and OpenID Connects redirects (to external IdP/SP/RP/OP) are excluded from this list as those URLs are part of the trust.)
To prevent URL redirection to untrusted sites, PhenixID Server will check the target URL and verify it against a list of approved sites/domains:
- Own server domain(s)
- List of manually added domains
This document will describe how to prevent all "logoff_uri" except those configured as valid targets.
We will make changes to the configuration files boot.json and phenix-store.json, so please make sure to have a backup of this file.
Instruction
There are three different parameters that can be used in order to manage the allowed targets. These parameters are combined as ONE regular expression which will be used to validate the target.
The parameters are:
"allowedLogoutTargetPrefix" - The first part of the regex. Has to end with | in order to be combined with the next parameter.
"allowedLogoutTarget" - The default allowed target, maintained by PhenixID.
"allowedLogoutTargetSuffix" - The last part of the regex. Has to start with | in order to be combined with the previous parameter.
An example of configuration can be found below.
This parameter is configured in boot.json on the authenticator used, like this example:
{
"name": "com.phenixidentity~auth-http",
"enabled": "true",
"config": {
"ssl": "true",
"port": "8443",
"allowedLogoutTargetPrefix": ".*\\.site1\\.se\\/.*|.*\\.site2\\.se\\/.*|",
"root_uri": "/config"
}
}
NOTE:
The regex used in this example will require a name using something before .site.se. Such as www.site1.se, since we use ".*\\." before site1/site2. At the end of the target, we add "\\/.*", meaning that we need to end the URL with a "/". This is done to protect redirect to shouldnotbeused.site1.se or site1.se.shouldnotbeused.com.
Since the change is made in boot.json, a restart of the service is needed for the change to take affect.
We can then add allowed targets to the module used for the application, like these example:
{
"name": "com.phenixidentity~phenix-prism",
"enabled": "true",
"config": {
"base_url": "/selfservice",
"logoff_uri": "http://www.site1.se/",
"auth_redirect_url": "/selfservice/authenticate/0b0f59f9-c561-4926-836a-d7c6bad3c068",
"http_configuration_ref": "05df53b8-402f-4002-926c-7bad33ae8847",
"module_refs": "3faadfd5-6260-47ea-9afa-6a42900a0633",
"enable_roles": "true"
},
"id": "f25f9dc2-357e-4d0f-9ef0-7460394482b2"
}
{
"name": "com.phenixidentity~phenix-prism",
"enabled": "true",
"config": {
"base_url": "/mfaadmin",
"logoff_uri": "http://www.site2.se", "auth_redirect_url": "/mfaadmin/authenticate/e95b6db4-2e16-4ecc-856f-d619684c42c8",
"http_configuration_ref": "4aa1b5fd-07e4-4e56-beaf-d18301edc160",
"module_refs": "e9cdc123-edca-4a90-a785-a263fc89e933,69925bf9-cbfd-4169-9691-3b0cd9615a64",
"enable_roles": "true"
},
"id": "d62fef49-c129-46d0-bec2-4009dc516059"
}
Allow all
Allowing all redirects is not recommended in a production environment!
This configuration allows all redirects:
"allowedLogoutTarget": ".*"