rsingh7
August 12, 2024, 11:41pm
1
IIQ 8.4
Unable to disable SSO bypass URL http:///spt/login.jsf?prompt=true
We are planning to implement SSO and gone through System configuration guide.
https://<IIQ_HOST>:8443/identityiq/login.jsf?prompt=true
We have users who might have bookmarked above URL, if, they would access IIQ on above URL then SSO login would be bypassed.
We don’t want to have that URL bypassing SSO login page.
We would like to disable above URL or redirect to https://<IIQ_HOST>:8443/identityiq/login.js even a user is hitting https://<IIQ_HOST>:8443/identityiq/login.jsf?prompt=true
Tried KB article - Support Articles - [IdentityIQ] How to disable URL - /login.jsf?prompt=true - Customer Support
but no luck.
Made below changes in web.xml as suggested but no luck.
pageAuthenticationFilter
sailpoint.web.PageAuthenticationFilter
loginUrl
/login.jsf
mobileLoginUrl
/ui/login.jsf
promptLoginUrl
/login.jsf
promptMobileLoginUrl
/ui/login.jsf
Question :
How can we stop SailPoint to not bypass SSO login even user is hitting https://<IIQ_HOST>:8443/identityiq/login.jsf?prompt=true?
rsingh7
August 12, 2024, 11:42pm
2
Made below changes in web.xml as suggested but no luck.
<filter>
<filter-name>pageAuthenticationFilter</filter-name>
<filter-class>
sailpoint.web.PageAuthenticationFilter
</filter-class>
<init-param>
<param-name>loginUrl</param-name>
<param-value>/login.jsf</param-value>
</init-param>
<init-param>
<param-name>mobileLoginUrl</param-name>
<param-value>/ui/login.jsf</param-value>
</init-param>
<init-param>
<param-name>promptLoginUrl</param-name>
<param-value>/login.jsf</param-value>
</init-param>
<init-param>
<param-name>promptMobileLoginUrl</par`Preformatted text`am-name>
<param-value>/ui/login.jsf</param-value>
</init-param>
<init-param>
iamksatish
August 13, 2024, 8:21am
3
@rsingh7
rsingh7
August 13, 2024, 5:46pm
4
web.xml (42.3 KB)
Please see uploaded web.xml
@rsingh7 your configuration looks good. Hoping you deployed on all boxes. let me see if i found some more details.
If you specifically want to restrict access when prompt=true is passed as a parameter, consider implementing a URL filter. A custom filter can intercept requests to check for the prompt=true parameter and restrict access accordingly.
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
public class RestrictPromptFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) throws ServletException {
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String prompt = httpRequest.getParameter("prompt");
if ("true".equals(prompt)) {
request.getRequestDispatcher("/access-denied.jsp").forward(request, response);
return;
}
chain.doFilter(request, response);
}
@Override
public void destroy() {
}
}
add this in web.xml
<filter>
<filter-name>RestrictPromptFilter</filter-name>
<filter-class>com.yourpackage.RestrictPromptFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>RestrictPromptFilter</filter-name>
<url-pattern>/iiq/login.jsf</url-pattern>
</filter-mapping>
rsingh7
August 16, 2024, 3:34pm
7
Thanks for sharing suggestions!
system
October 15, 2024, 3:34pm
8
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.