Securing user sessions even during logout is critical. Without a properly configured URL allowlist for logout redirects, users may inadvertently be redirected to unauthorized or unintended locations, potentially exposing sensitive information. Implementing a URL allowlist ensures that logout redirects only lead to trusted Identity Providers, significantly enhancing security and preventing potential misuse.
Resolution Steps:
Access the System Properties:
Go to the sys_properties table by entering sys_properties.list in the navigation filter of your ServiceNow instance.
Configure the URL Allowlist:
Search for the glide.security.url.whitelist property in the list.
Add the AuthnRequest values for each active Identity Provider to this property. Ensure that these values are correct and correspond to trusted sources.
Validate the Configuration:
Test the logout process by attempting redirects to the listed URLs.
Ensure that any unauthorized or unintended URLs are effectively blocked, and only trusted redirects are allowed.
Regularly Update the Allowlist:
Periodically review and update the allowlist to accommodate changes in trusted Identity Providers or redirect needs.
Consider automating alerts for when unauthorized redirect attempts are blocked, to monitor for potential security issues.
Conclusion: Configuring a URL allowlist for logout redirects is an essential security practice that protects users and organizations from potential threats associated with unauthorized redirects. By restricting redirects to trusted sources, organizations can ensure a safer user experience and maintain control over session terminations.
For more detailed guidance on resolving this issue, please contact us at support@dt-advisory.ch.