To enhance the security of our authentication system, we’ve made a change to how SAML and OIDC sign-in redirections are handled. This update resolves a potential open redirection vulnerability and adds an extra layer of protection during the sign-in process.

Previously, when an account was set up to use only SAML or OIDC for sign-in, users were automatically redirected to the configured SSO URL without any intermediate steps.

However, this behavior could be misused. If an attacker managed to configure a malicious redirect URL as part of the SSO setup and sent that sign-in link to a user, the user could be unknowingly redirected to a harmful site, even if they don’t belong to the attacker’s organization.

To prevent this, we now present users with a consent screen (shown below) before redirecting them to the SSO URL. This screen clearly displays the Sign-in URL and asks users to confirm that they trust the site before proceeding.

If you have any questions or concerns, feel free to reach out to us at support@zohoaccounts.com