Configuring a Redirect Allowlist

To avoid redirect vulnerabilities in the Directory Server STS, Laserfiche Directory Server administrators can enable checking against an allowlist that restricts redirects to approved domains.

1. On the computer hosting the Directory Server Security Token Service (STS), open the STS configuration site, by default, the address is: https://localhost/LFDSSTS/configuration.
2. To set a list of allowed domains, select the Allow additional domains to redirect option.

   Note: If you turn on Allow additional do mains to redirect, but do not specify any values in the Additional allowlist domains, only the domain the STS resides on will be allowed.

3. In the Additional allowlist domains textbox, add the desired domains, separating domain names with a comma. The specified domains should match the values used by users to access the respective Laserfiche application. For example, if users browse to Laserfiche Forms using https://sampledomain.com/forms, and the Directory Server STS does not reside on sampledomain.com, then you should append sampledomain.com to the list.
4. Select Update to save your changes.

Note: To configure STS sites for your SAML identity providers, navigate to STS Sites.