Redirect URL in SSO callback [Linux]

Background

During the SSO flow, multiple redirects may occur to authenticate the user:

1. [Sisense page] →   [Sisense SSO endpoint]
2. [Sisense SSO login endpoint] →   [Login URL of the SSO provider]
3. [Login URL of the SSO provider] →   [Sisense SSO callback]
4. [Sisense SSO callback endpoint] →   [Initially requested Sisense resource]

To remember the initial request of the user and redirect them back to the requested resource after the SSO login is finished, Sisense sends a query-string parameter (such as "return_to") in each of the subsequent redirects.

Redirection example

Example of redirects during SSO login flow:

1. https://my.sisense.com/app →
2. https://my.sisense.com/openid?return_to=http%3A%2F%2Fmy.sisense.com%2Fapp →
3. https://sso.provider.com/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=Sisense&redirect_uri=http%3A%2F%2F10.50.69.85%3A30845%2Fopenid_callback&scope=openid%20email&nonce=8ac003e7-020c-413e-9848-bc1166f7c966&state=Ttqg%2FeG%2B2iZWp9%2Bp8tbe0dSZ → 
4. https://my.sisense.com/openid_callback?state=Ttqg%2FeG%2B2iZWp9%2Bp8tbe0dSZ&session_state=3d07352e-d3ef-4b78-9b83-5801ce92a265&code=81110e04-2aae-4dce-bcaa-2ad511f23f76.3d07352e-d3ef-4b78-9b83-5801ce92a265.4e2b1b4c-b52e-4e47-9634-ae9eb6fd1aae → 
5. https://my.sisense.com/app 

Where 

1. https://my.sisense.com - the address of your Sisense website
2. https://sso.provider.com - the address of your SSO provider

Default behaviour

By default, Sisense does not apply any restrictions to the "return_to" parameter. As a result, user can be redirected to external domains once the SSO authentication is finished.

For example: https://my.sisense.com/openid?return_to=http://external.com  

We strongly recommend limiting these redirection domains only to the trusted websites (Sisense domain, embedding domains, SSO portal page, etc).

Configuration options

Note: These options are available in the Sisense Linux version since L2021.3.

Sisense can be configured to restrict target domains passed in the query string parameters during SSO flow (such as "return_to").

To do so:

1. Send API v0.9 POST /settings/sso request with the following payload: {"newReturnToValidationBehavior": true}
2. Refresh the Sisense page.
3. Navigate to the [Admin] tab → [Security Settings].
4. You will now see an additional [Allowed Target URLs] section. Add whitelisted target URLs (make sure to include the Sisense URL) and save the changes.

Service restarts are not required.

Important. If the Allowed Target URLs list remains empty, all domains will be allowed for the redirect.

Forbidden domains

If the target URL is not in the allowed list, the redirect will be blocked, and the user will see a Forbidden message on the SSO callback page:

Conclusion:

Sisense’s SSO flow uses a "return_to" parameter for redirects, which by default allows any domain. Since Linux version L2021.3, admins can restrict allowed redirect domains via API and security settings. If a redirect target isn’t whitelisted, Sisense blocks it and shows a Forbidden message. No service restart is needed.

Disclaimer: This post outlines a potential custom workaround for a specific use case or provides instructions regarding a specific task. The solution may not work in all scenarios or Sisense versions, so we strongly recommend testing it in your environment before deployment. If you need further assistance with this, please let us know.