|
|
|
When the SOA Security Manager Identity Provider Discovery Service receives a request for the common domain cookie, the request includes a query parameter named IPDTarget. This query parameter lists a URL where the Discovery Service must redirect to after it processes the request.
For an IdP, the IPDTarget is the SAML 2.0 Single Sign-on service. For an SP, the target is the requesting application that wants to use the common domain cookie.
We recommend protecting the IPDTarget query parameter against security attacks. An unauthorized user can place any URL in this query parameter and cause a redirection to a malicious site.
To protect the query parameter against an attack, configure the Agent Configuration Object setting ValidFedTargetDomain. The ValidFedTargetDomain parameter lists all valid domains for your federated environment.
Note: The ValidFedTargetDomain setting is similar to the ValidTargetDomain setting used by the Web Agent, but this setting is defined specifically for federation.
When the IPD Service examines the IPDTarget query parameter, it obtains the domain of the URL specified by the query parameter. The IPD Service compares this domain to the list of domains specified for the ValidFedTargetDomain parameter. If the URL domain matches one of the configured domains in the ValidFedTargetDomain, the IPD Service redirects the user to the designated URL.
If there is no domain match, the IPD Service denies the user request and they receive a 403 Forbidden in the browser. Additionally, errors are reported in the FWS trace log and the affwebservices log. These messages indicate that the domain of the IPDTarget is not defined as a valid federation target domain.
If you do not configure the ValidFedTargetDomain setting, no validation is done and the user is redirected to the target URL.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |