About trusted domains
The primary function of Access Gateway is to proxy and redirect application requests. In certain scenarios, it is possible for redirects to occur, which are not authorized by Access Gateway. To prevent unauthorized redirects, Access Gateway provides support for trusted domains. When enabled, trusted domain support checks all redirects to determine if the requested redirect is to a known or trusted domain. If the domain is trusted, then the redirect occurs without concern. However, if the domain is not in the trusted domain list, then the redirect is blocked and an error shown to the user.
When enabled, Access Gateway only used trusted domains to examine redirects into Access Gateway. Protected resource redirects may still occur and are outside the control of core Access Gateway.
Process flow (known trusted domain):
Process flow (untrusted domain)
Managing trusted domains
You can use the Manage Trusted Domains in the Access Gateway Management console to enable or disable the Access Gateway trusted domain feature and view the list of trusted domains.
Trusted domains may be:
- Enabled - When trusted domains are enabled, only redirects are checked against the known list of trusted domains.
Redirects to other domains result in an error similar to:
- Disabled - When trusted domains are disabled redirects occur normally but are not checked against the known list of trusted origins.
Trusted domains are enabled by default in Access Gateway deployments of v2020.8.3 and later.
Trusted domains are disabled by default when upgrading from earlier versions to maintain existing system behavior.
The list of trusted domains includes:
- All trusted domains synchronized with your Okta tenant. To view trusted domains in your Okta tenant :
- Sign in to your Okta tenant as an Admin.
- In the Admin Console, go to Security > API.
- Select the Trusted origins tab.
- The private domains of all applications as listed in the Protected Web Resource field.
All application domains are synchronized with your Okta tenant as applications are added.
Protocol and path information is not part of the domain.