About trusted domains

The primary function of Access Gateway is to proxy and redirect application requests. In certain scenarios, it is possible for redirects to occur, which are not authorized by Access Gateway. To prevent unauthorized redirects, Access Gateway provides support for trusted domains. When enabled, trusted domain support checks all redirects to determine if the requested redirect is to a known or trusted domain. If the domain is trusted, then the redirect occurs without concern. However, if the domain is not in the trusted domain list, then the redirect is blocked and an error shown to the user.

You can use the Manage Trusted Domains in the Access Gateway Management console to enable or disable the Access Gateway trusted domain feature and view the list of trusted domains.

Trusted domains may be:

  • Enabled - When trusted domains are enabled, only redirects are checked against the known list of trusted domains.
    Redirects to other domains result in an error similar to:
    Error message when an attempt is made to redirect to a untrusted domain.
  • Disabled - When trusted domains are disabled redirects occur normally but are not checked against the known list of trusted origins.
Important Note

Important

Trusted domains are enabled by default in Access Gateway deployments of v2020.8.3 and later.
Trusted domains are disabled by default when upgrading from earlier versions to maintain existing system behavior.

The list of trusted domains includes:

  • All trusted domains synchronized with your Okta tenant. To view trusted domains in your Okta tenant :
    1. Sign in to your Okta tenant as an Admin.
    2. In the Admin Console, go to Security > API.
    3. Select the Trusted origins tab.
  • The private domains of all applications as listed in the Protected Web Resource box.
    Note

    Note

    All application domains are synchronized with your Okta tenant as applications are added.
    Protocol and path information is not part of the domain.


Related topics