Agent Setting for Federation Domains

Users can be redirected to a malicious web site when they are using the Identity Provider Discovery (IPD) profile for SAML 2.0 transactions or the wreply URL for WS-Federation transactions. To prevent such a redirection, configure the ValidFedTargetDomain parameter in Web Agent.
sm1252sp1
Users can be redirected to a malicious web site when they are using the Identity Provider Discovery (IPD) profile for SAML 2.0 transactions or the wreply URL for WS-Federation transactions. To prevent such a redirection, configure the ValidFedTargetDomain parameter in Web Agent.
The functionality of the ValidFedTargetDomain parameter differs in for SAML 2.0 and WS-Federation.
ValidFedTargetDomain for SAML 2.0
The ValidFedTargetDomain parameter lists all valid domains for your federated environment when implementing Identity Provider Discovery.
When the IPD Service receives a request, it examines the IPDTarget query parameter in the request. The IPDTarget defines a URL where the Discovery Service must redirect the browser to after it processes the request. For an IdP, the IPDTarget is the SAML 2.0 Single Sign-on service. For an SP, the target is the requesting application that wants to use the common domain cookie.
Federation Web Services compares the domain of the IPDTarget URL to the list of domains specified for the ValidFedTargetDomain parameter. If the URL domain matches one of the configured domains in the ValidFedTargetDomain list, the IPD Service redirects the user to the IPDTarget URL at the SP.
If there is no domain match, the IPD Service rejects the user request with a 403 Forbidden error message. The errors are reported in the FWS trace log and the affwebservices log.
If you do not configure the parameter, no validation is done and the user is redirected to the target URL. If you are modifying a local configuration file, list the domains separately. For example:
validfedtargetdomain=".examplesite.com"
validfedtargetdomain=".abccompany.com"
ValidFedTargetDomain for WS-Federation
The ValidFedTargetDomain parameter lists all valid domains for your federated environment that the wreply URL must use for verification to ensure that the redirection is secure. 
Federation Web Services compares the domain of the wreply URL to the list of domains specified for the ValidFedTargetDomain parameter. If the URL domain matches one of the configured domains in the list, the Federation Web Services redirects the user to the wreply URL at the RP.
If there is no domain match, the Federation Web Services rejects the user request with a 400 bad request error message. The errors are reported in the FWS trace log and the affwebservices log.
If you do not configure the parameter, no validation is done and the user is redirected to the target URL. If you are modifying a local configuration file, list the domains separately. For example:
validfedtargetdomain=".examplesite.com"
validfedtargetdomain=".abccompany.com"