How to define a whitelist of trusted domains to validate against during a login to Access Manager's Identity Server



Organisations may have set up a Web server Portal page with a HTML form that POSTs the users credentials to the Identity (IDP) Server login page (see Customizing the Identity Server Login Page under section '3.6 Managing Direct Access to the Identity Server') as opposed to having the Access Gateway redirect users to the IDP server login page when trying to access protected resources.

The HTML <form> tag on this page will do something similar to the following form, where the users credentials are submitted to the IDP login page (action tag) and redirect to a target URL after successfully authenticating.
    <form method="post" action="">
<strong>Please enter user ID and password:</strong>
<strong>User ID</strong>
<input type="text" size="20" name="Ecom_User_ID">
<input type="password" size="20" name="Ecom_Password">
<input type="hidden" name="target" value="">
<strong>And then click this button:</strong>
<input type="submit" name="login" value="Login">

This works fine - when the user enters their credentials, the IDP server validates the credentials and redirects the user to a valid target page.

Problem Definition

The problem however is that the Administrator has concerns regarding a potential hacker changing the target field in such a manner that users are asked for credentials. Looking at the following use case:

  1. User clicks on a URL (Can be a link from an email or from a website) received in an email with non-trusted provider as a target. (Example: phishing or spam email)

  • User taken to valid IDP login page for domain and authenticates to IDP (User thinks it is legitimate link as user taken to valid known URL with familiar logo and credentials worked)

  • User then forwarded to non-trusted service provider defined by the Target parameter (User still thinks it is trusted application from

  • Now user is at, user may enter any information that the website prompts or asks as user thinks it is trusted website.


To avoid this issue, the Administrator needs to be able to define some sort of whitelist on the IDP server defining valid target domains that users can be redirected to. In order to do this, the changes must be added to the top.jsp file (/opt/novell/nids/lib/webapp/jsp/ directory on Linux). By adding the following modifications, the Administrator can define the trusted domains, as well as redirect any authorised requests to a pre-defined URL (/nidp/app/logout in the case below).

The exact changes to the top.jsp page are defined as follows:

  1. Add the trusted TargetDomains to the top of the file before the existing 'import=""' string)
    <%! public static String m_TargetDomains[] = { "", "", "" }; %>
    <%@ page import="" %>

  • Add the following logic to the JSP page after the existing UIHandler string entry. This code will take the target URL we receive and compare it with the trusted m_TargetDomains we configured at the beginning of the file. In the above case, if the target domain does not match the, or domains, the users are redirected to the logout URL of the IDP server. You can change that URL to be anything you want.
    UIHandler uh = new UIHandler(request,response);
    String url = (String) request.getAttribute("url");
    URL u = new URL(url);
    String domain = u.getHost().toLowerCase();
    boolean validTarget = false;
    for (int i = 0; i < m_TargetDomains.length; i ) {
    if (domain.endsWith(m_TargetDomains[i])) {
    validTarget = true;
    if ( !validTarget ) {
    //Log this?

If a user authenticates and the target parameter is part of the, or domains, the user will be redirected to that target. If the user authenticates and the target parameter is part of another domain, the user will be automatically logged out of the IDP server.

A copy of the sample top.jsp page is included.


How To-Best Practice
Comment List
  • The above jsp code will have issue with NAM4.0 onwards.
    Below is the customized JSP (top.jsp) for 4.0;

    UIHandler uh = new UIHandler(request,response);
    String url = (String) request.getAttribute("url");
    String target = (String) request.getParameter("target");
    URL turl = new URL(target);

    String domain = turl.getHost().toLowerCase();
    boolean validTarget = false;
    for (int i = 0; i
    <!DOCTYPE HTML PUBLIC "-//W3C//Dtd HTML 4.0 transitional//">

    <html lang="">