A recent security scan pointed out that one could create a link to the Shibboleth SP's /Login endpoint and set a URL into
the "target" parameter on the query string, and once authentication is performed, the user is redirected to
the location specified in the "target" regardless of where that URL is.
That passes the user to the correct IdP, requires them to login, and then once they're logged in, they are redirected back
to Shibboleth SP, and then the Shibboleth SP redirects them back to the target URL,
which appears to be able to be set to anything.
The Shibboleth SP be validating the target URL, should
it not? Maybe I'm missing a configuration? Appreciate any assistance. Thanks!
Director, Product Engineering
TeamDynamix: The Right Fit for Higher Ed
o: 877-752-6196 x114
The information contained in this
message and any attachment may be proprietary, confidential, and privileged. If the reader of this message is not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited
and may subject you to criminal or civil penalties. If you received this communication in error, please contact the sender immediately, and delete the communication (including attachments, if applicable) from any computer or network system.