Enabling the Use Introductions option for an identity provider might result in the Open Redirect vulnerability. To prevent this vulnerability, perform the following steps:
Create the relayStateWhiteList.conf file and add the exact URLs for which you want to allow redirection.
For example, if you specify https://www.<domainname>.com, all sub-domains under this domain. Such as:
https://www.<domainname>.com/en-us/home
https://www.<domainname>.com/en-us/digital-transformation/overview
https://www.<domainname>.com
If you specify https://www.<domainname>.com/en-us/home, then any child URL of this URL will be allowed. For example, https://www.<domainname>.com/en-us/home/resources. However, https://www.<domainname>.com will not be allowed.
Place relayStateWhiteList.conf to the /opt/novell/nids/lib/webapp/WEB-INF folder by using Advanced File Configurator.
For information about how to add a file, see Adding Configurations to a Cluster
in the NetIQ Access Manager CE 24.2 (v5.1) Administration Guide.
Open the Identity Server web.xml file.
For information about how to edit a file, see Modifying Configurations
in the NetIQ Access Manager CE 24.2 (v5.1) Administration Guide.
Uncomment the ‘RelayStateWhiteListFilter’ snippet:
<filter-name>RelayStateWhiteListFilter</filter-name>
<filter-class>com.mf.tomcat.custom.filter.RelayStateWhiteListFilter</filter-class>
<Description>This filter is used to whitelist relaystate parameter for introductions. </description>
<init-param>
<param-name>configFile</param-name>
<param-value>relayStateWhiteList.conf</param-value>
</init-param>
<init-param>
<param-name>blackListRedirectPath</param-name>
<param-value>/nidp/app/logout</param-value>
</init-param>Save the file.