Unable to disable SSO bypass URL http://<iiq server>/spt/login.jsf?prompt=true

IdentityIQ (IIQ) IIQ Discussion and Questions
1

Which IIQ version are you inquiring about?

IIQ 8.4

Unable to disable SSO bypass URL http:///spt/login.jsf?prompt=true

We are planning to implement SSO and gone through System configuration guide.
We found that below URL bypasses SSO login

https://<IIQ_HOST>:8443/identityiq/login.jsf?prompt=true

We have users who might have bookmarked above URL, if, they would access IIQ on above URL then SSO login would be bypassed.

We don’t want to have that URL bypassing SSO login page.

We would like to disable above URL or redirect to https://<IIQ_HOST>:8443/identityiq/login.js even a user is hitting https://<IIQ_HOST>:8443/identityiq/login.jsf?prompt=true

Tried KB article - Support Articles - [IdentityIQ] How to disable URL - /login.jsf?prompt=true - Customer Support

but no luck.

Made below changes in web.xml as suggested but no luck.

pageAuthenticationFilter sailpoint.web.PageAuthenticationFilter loginUrl /login.jsf mobileLoginUrl /ui/login.jsf promptLoginUrl /login.jsf promptMobileLoginUrl /ui/login.jsf

Question :

  • How can we stop SailPoint to not bypass SSO login even user is hitting https://<IIQ_HOST>:8443/identityiq/login.jsf?prompt=true?
2

Made below changes in web.xml as suggested but no luck.

<filter>
      <filter-name>pageAuthenticationFilter</filter-name>
      <filter-class>
          sailpoint.web.PageAuthenticationFilter
      </filter-class>
      <init-param>
          <param-name>loginUrl</param-name>
          <param-value>/login.jsf</param-value>
      </init-param>
      <init-param>
        <param-name>mobileLoginUrl</param-name>
        <param-value>/ui/login.jsf</param-value>
      </init-param>
      <init-param>
        <param-name>promptLoginUrl</param-name>
        <param-value>/login.jsf</param-value>
      </init-param>
      <init-param>
        <param-name>promptMobileLoginUrl</par`Preformatted text`am-name>
        <param-value>/ui/login.jsf</param-value>
      </init-param>
      <init-param>
3

@rsingh7
Share your complete web.xml with which you tried this

4

web.xml (42.3 KB)

Please see uploaded web.xml

5

@rsingh7 your configuration looks good. Hoping you deployed on all boxes. let me see if i found some more details.

6

If you specifically want to restrict access when prompt=true is passed as a parameter, consider implementing a URL filter. A custom filter can intercept requests to check for the prompt=true parameter and restrict access accordingly.

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;
public class RestrictPromptFilter implements Filter {
   @Override
   public void init(FilterConfig filterConfig) throws ServletException {
       
   }
   @Override
   public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
           throws IOException, ServletException {
       HttpServletRequest httpRequest = (HttpServletRequest) request;
       String prompt = httpRequest.getParameter("prompt");
       if ("true".equals(prompt)) {
           
           request.getRequestDispatcher("/access-denied.jsp").forward(request, response);
           return;
       }
       chain.doFilter(request, response);
   }
   @Override
   public void destroy() {
     
   }
}

add this in web.xml

<filter>
<filter-name>RestrictPromptFilter</filter-name>
<filter-class>com.yourpackage.RestrictPromptFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>RestrictPromptFilter</filter-name>
<url-pattern>/iiq/login.jsf</url-pattern>
</filter-mapping>
7

Thanks for sharing suggestions!