When running a Web Agent Option Pack, when user accesses resource
/affwebservices/public/samlcc, the Target parameter is vulnerable to
"Open Redirect", the http request can be modified to contain some
arbitary URL redirecting the user to this modified URL.

Web Agent Option Pack 12.52SP1CR10 on Tomcat on Linux

At first glance, there's an ACO parameter you can set for the Web
Agent Option Pack to force Web Agent Option Pack to validate the
TARGET value against a white list (1)(2)(3).

So the GET action to an unknown target "mybadserver.mybaddomain.com",
will be validated by the Web Agent Option Pack before given the
response to the browser.

  GET /affwebservices/public/samlcc?TARGET=http://mybadserver.mybaddomain.com&SAMLart=dsF1csdwedwdsads44dsa4w4wd44dslN5g%2BHadj2f2IwfY

(1)

    Web Agent Option Pack :: ACO : Full List

      ValidFedTargetDomain

    https://knowledge.broadcom.com/external/article?articleId=49319

(2)

    ValidFedTargetDomain 

      Defines valid domains for your federated environment See Agent
      Setting for Federation Domains.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/web-agent-configuration/list-of-agent-configuration-parameters.html
    

(3)

    SAML Credential Collector Service URL (SAML 1.x)

     The SAML Credential Collector service assists in consuming SAML 1.x assertions.

       Default URL for this Service

       https://consumer_server:port/affwebservices/public/samlcc

       consumer_server:port

       Identifies the web server and port hosting the Web Agent Option
       Pack or CA Access Gateway.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/legacy-federation/federation-web-services-urls-used-by-the-product.html