Authentication Whitelist

Overview

When using the Cherwell REST API as an OAuth provider, users must maintain a whitelist of acceptable hosts to redirect to upon a successful login. Whitelisting redirect hosts is a way to prevent bad actors from hijacking the authentication flow via redirects to unsafe hosts. Separate whitelists can be maintained for each custom Cherwell REST API client, and a single whitelist will apply for each of Cherwell's internal clients (example: Portal sites). The whitelists can be managed by launching the CSM Administrator.

CSM Administrator Whitelist Manager

The Whitelist Manager can be opened fromCSM Administrator > Security > Authentication Whitelist.

• Client: Select a custom Cherwell REST API client or an entry to represent all the internal Cherwell REST API clients.
• New: Add a new whitelisted host to the selected Client.
• Save: Save a new or modified whitelisted host on the selected Client.
• Delete: Delete a whitelisted host from the selected Client.
• Cancel: Cancel the changes made without saving.

Logging into the Browser Client or Portal

By default, the system will allow login redirects to the Browser Client, Portal, or other internal Cherwell clients if they are hosted on the same server as the Cherwell REST API. If they are hosted on different servers, users must add those hosts to the whitelist for internal Cherwell clients.

Using Cherwell API as an authentication provider for 3rd party applications

Some users may have 3rd party applications configured to use the Cherwell REST API as an authentication provider. If this is the case, they will have Cherwell REST API client keys defined for their applications. Users must add any hostname used by their 3rd party applications to the authentication whitelist for those clients. This will allow redirects back to those 3rd party applications to work.