Configuring a Redirect Allowlist
To avoid redirect vulnerabilities in the Directory Server STS, Laserfiche Directory Server administrators can enable checking against an allowlist that restricts redirects to approved domains.
- Open the STS Web.config in a text editor of your choice. By default, this file is located in C:\Program Files\Laserfiche\Directory Server\Web\WebSTS.
- Find:
<add key="RedirectWhitelistEnabled" value="false" />
<add key="RedirectWhitelistDomains" value="" />- By default, the value for the RedirectWhitelistEnabled key is set to False. To set a list of allowed domains, this value must be changed to True.
Note: If you set RedirectWhitelistEnabled to True, but do not specify any values in RedirectWhitelistDomains, only the domain the STS resides on will be allowed.
- For the RedirectWhitelistDomains key, add domains as the value, separating the domain names with a comma. The specified domains should match the values used by users to access the respective Laserfiche application. For example, if users browse to Laserfiche Forms using https://sampledomain.com/forms, and the Directory Server STS does not reside on sampledomain.com, then you should append sampledomain.com to the list.
- By default, the value for the RedirectWhitelistEnabled key is set to False. To set a list of allowed domains, this value must be changed to True.
- Save the Web.config file.
Note: To configure STS sites for your SAML identity providers, navigate to STS Sites.