How to prevent the SMPORTALURL to be modified to an undesired site ?


Article ID: 15296


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


I'd like to validate the value of SMPORTALURL before the browser getting redirected to it. This is to prevent the request to be directed to a undesired site. How I can do it?



Release: ETRSWK99000-12.7-SiteMinder-Web Access Manager-SmWalker


  You can implement ACO parameter SecureURLs to make the SMPORTALURL not modificable. You can also take a look to a specific functionality to encrypt only the value of SMPORTALURL.


  There's a functionality to avoid the modification or the addition of an undesired value for that Parameter. You can encrypt the value of the SMPORTALURL. From documentation : 


  Specify if the single sign-on service must encrypt only the SMPORTALURL query parameter in Use Secure Authentication URL.


  An encrypted SMPORTALURL prevents a malicious user from modifying the

  value and redirecting authenticated users to a malicious website. The

  SMPORTALURL is appended to the Authentication URL before the browser

  redirects the user to establish a session. After the user is

  authenticated, the browser directs the user back to the destination

  specified in the SMPORTALURL query parameter.


  If you select this option, complete the following steps:


  Set the Authentication URL field to the following URL: 




  R12.7 Documentation


  This feature is available on Federation 12.7, and it's also available in Federation 12.52SP1CR06:


  00355124 00454067 DE159107 DE198549 SMPORTALURL query value can be

  manipulated as it does not get encrypted while redirecting to



  Defects fixed in R12.52 SP1 CR06