Release NotesFederation Security Services Release NotesDefects Fixed in the Policy Server 6.0 SP5 Option PackFixes for Policy Server 6.0 SP5 Option Pack › SMPORTALURL Query Parameter Subject to Malicious Modification (74278)

Previous Topic: User Attributes in Assertions Not Allowed to be Set to NULL (79547, 76985)

Next Topic: Signature for SAML 1.1 Assertions Unclear With Multiple Affiliate Domains (76161)
SMPORTALURL Query Parameter Subject to Malicious Modification (74278)

Symptom:

When a user is redirected to the Authentication URL, the SMPORTALURL query parameter could be manipulated to redirect the user to a malicious site.

Solution:

To prevent possible malicious modification of URLs when a user is redirected to an authentication URL, the SMPORTALURL query parameter can now be encrypted. To encrypt this parameter, select the Use Secure URL option in the appropriate dialog at the producer/Identity Provider/Account Partner site, or set the SDK parameter USE_SECURE_AUTH_URL property to 1 in the SP or IDP object.

Note: If the Use Secure URL option is selected, the following servlet must be specified for the Authentication URL: http(s)://idp_server:port/affwebservices/secure/secureredirect