About trusted domains

The primary function of Access Gateway is to proxy and redirect application requests. In certain scenarios, it is possible for redirects to occur, which are not authorized by Access Gateway. To prevent unauthorized redirects, Access Gateway provides support for trusted domains. When enabled, trusted domain support checks all redirects to determine if the requested redirect is to a known or trusted domain. If the domain is trusted, then the redirect occurs without concern. However, if the domain is not in the trusted domain list, then the redirect is blocked and an error shown to the user.
Available since Access Gateway version 2020.08.3

Important Note

When enabled, Access Gateway only used trusted domains to examine redirects into Access Gateway. Protected resource redirects may still occur and are outside the control of core Access Gateway.

Process flow

Process flow (known trusted domain):

  1. Request is send to Access Gateway.
  2. Access Gateway examines the request against the list of known trusted domains. Determines domain is "trusted".
    Note:Trusted domains are synchronized with the client Okta org.
  3. Access Gateway redirects trusted domain requests to the protected application.
  4. Protected application returns request.
  5. Access Gateway Admin UI console returns requested.

Process flow (untrusted domain)

  1. Request is send to Access Gateway.
  2. Access Gateway examines the request against the list of known trusted domains. Determines domain is untrusted.
  3. Access Gateway returns an error to the client.

Managing trusted domains

You can use the Manage Trusted Domains in the Access Gateway Management console to enable or disable the Access Gateway trusted domain feature and view the list of trusted domains.

Trusted domains may be:

  • Enabled - When trusted domains are enabled, only redirects are checked against the known list of trusted domains.
    Redirects to other domains result in an error similar to:
    Error message when an attempt is made to redirect to a untrusted domain.
  • Disabled - When trusted domains are disabled redirects occur normally but are not checked against the known list of trusted origins.

Trusted domains are enabled by default in Access Gateway deployments of v2020.8.3 and later.
Trusted domains are disabled by default when upgrading from earlier versions to maintain existing system behavior.

The list of trusted domains includes:

  • Trusted domains are synchronized with your Okta tenant. To view trusted domains in your Okta tenant :
    1. Sign in to your Okta tenant as an Admin.
    2. In the Admin Console, go to SecurityAPI.
    3. Select the Trusted origins tab.
  • The private domains of all applications as listed in the Protected Web Resource field.

    All application domains are synchronized with your Okta tenant as applications are added.

    Protocol and path information is not part of the domain.

Related topics