Redirect URL Whitelist

What is a Redirect URL?

A Redirect URL is a URL that is used to redirect your domain's visitors to a different URL.

When do I use a Redirect URL?

A Redirect URL is often used to redirect an end-user back to the homepage after a login process. For example, a customer of a webshop visits the webshop, adds something to the cart, logs in and goes through the payment process. To make the payment the end-user is redirected to the website of a bank. After finishing the payment, the end-user is being redirected to the webshops homepage. In this case the webshops homepage is the Redirect URL.

A Redirect URL can also be used to forward an end-user to a web page that is available under more than one URL. For example an end-user that types onegini.net in the browser, is being redirected to onegini.com.

What is a Redirect URL Whitelist?

A Redirect URL Whitelist is a list of URLs to which an end-user is allowed to be redirected.

To add a Redirect URL to the Redirect url Whitelist go to Onegini Customer Identity Access Manager > Configuration > General information.

screenshot general config redirect url whitelist

In the section General Config, URLs to redirect the end-user can be defined. In the Redirect url whitelist section validation rules can be defined against which a return_url will be validated.

In the section General Config, the following fields can be filled in:

Field Description
Redirect to URL after login Defines an URL to a default weppage after the end-user has been logged in.
Redirect to URL after logout Defines an URL to a default webpage after the end-user has been logged out.
Redirect to URL after sign-up Defines an URL to a default webpage after the end-user has been signed up.
Redirect to URL after activation Defines an URL to a default webpage after the end-user has activated her or his account.

In the section Redirect url whitelist, the following fields can be filled in:

Field Description
Default Origin URL Defines a default URL to which an end-user will be redirected when no 'origin' parameter is defined.
Redirect URL or regular expression pattern Defines a list of URLs against which a 'return_url' or 'origin' parameter should be validated. Regular expressions are allowed.

How does a Redirect URL work?

To demonstrate how a Redirect URL works in a SAML flow, read the following step-by-step example:

  1. A Redirect URL should be provided in the request by an origin query parameter.
  2. This request could look like this http://dev.onegini.me:8181/personal/dashboard?origin=http://origin.example.com. In this request the Redirect URL is http://origin.example.com.
  3. The end-user will be redirected to the origin URL (http://origin.example.com), as soon as he or she navigates to the endpoint /personal/return-to-origin(http://dev.onegini.me:8181/personal/return-to-origin) or as soon as he or she logs out.
  4. The Redirect URL should match at least one Redirect URL that is defined in the Redirect URL Whitelist in the Onegini Customer Identity Access Manager.

Note: If there is no Redirect URL defined in the Redirect URL Whitelist the end-user will be redirected to the default origin URL. If no default origin URL is defined the end-user will end up on first page that he or she visited. In this example http://dev.onegini.me:8181/personal/dashboard.

Flows to use a Redirect URL

There are different flows or user cases in which you can use a Redirect URL. Take a look at the table below.

Flow Description
Any attribute update on the dashboard A user can change a password or update mobile number.
Action tokens After a user has been logged in, or any action token action has been executed, it is possible to redirect a user to a concrete url.
User login A user is redirected to the CIMs login page and the redirect url redirects the user to the client’s page.
Invite complete A user is redirected to the return_url after finishing the invitation flow.
Log out A user is redirected to a return_url after being logged out.

Retrieving status after operation ended

When operation of updating attribute ended in a redirect to specified url, the status of this operation can be retrieved. A query param is added to redirect url named operationStatusId which contains id of the status. The details of how to get the status can be found in the Operations API.