I found one vulnerability of SSO. It is about Unvalidated Redirects which is defined in OWASP A10.
For example, when I tried to input the url in IE, I could successfully be redirected to my project URL. https://am.abc.sg/sso/UI/Login?goto=https://192.168.1.2:430/abc/Index
It should validate the returned url and reject my request.
My reply below:
The observation is a valid one. It is the default product behavior.
You can, however, enhance security by setting allowed Goto URL domains by going to:
/ (Top Level Realm) -> Authentication -> All Core Settings ... -> Security -> Valid goto URL domains
By default OpenAM will redirect the user to the URL specified in the goto parameter supplied to the authentication interface. To enhance security a list of valid DNS domains can be specified. OpenAM will only redirect a user if the domain of the goto URL is present in this list.
At least there is a way to tighten security if customer chooses to.