CR 6770231: OpenSSO Enterprise 8.0 Update 1 Validates goto URLs (Sun OpenSSO Enterprise 8.0 Update 1 Release Notes)

Sun OpenSSO Enterprise 8.0 Update 1 Release Notes

Previous: CR 6244578: New Property Warns Users if Browser Cookie Support is Disabled or Not Available
Next: CR 6696910: New Property makes Event Notification Cache Configurable

CR 6770231: OpenSSO Enterprise 8.0 Update 1 Validates goto URLs

OpenSSO Enterprise 8.0 Update 1 can validate a goto URL after a user logs in to prevent a hacker from sending the user to an imposter site in order to steal the user's personal information.

To Set Valid goto URLs:

Install OpenSSO Enterprise 8.0 Update 1. If you are patching OpenSSO Enterprise 8.0, make sure you run the updateschmema.sh or updateschema.bat script and restart the OpenSSO Enterprise web container.
Log in to the Admin Console.
Click Configuration, Authentication, and then Core.
Under Valid goto URL domains, add each valid goto domain name, as follows:
- A domain name starting with a dot (.) such as .example.com allows all hosts in the example.com domain to be used in a success redirect URL.
- A domain name that does not start with a dot (.) such as example.com allows the host example.com to be used in a success redirect URL. For example, http://example.com would be valid, but http://host.example.com would not be valid.
- If you don't add the entire domain to the list, you must add each individual agent host name being used.
- You do not need to add domains for agents in CDSSO mode, because they are protected automatically.
Click Save.
Restart the OpenSSO Enterprise web container.

If you subsequently want to disable the goto URL validation, remove all entries from the Valid goto URL domains list.

Additional Information - If a goto URL is found to be invalid, the user will be redirected to the default success login URL (/opensso/console).