To enhance the security of our authentication system, we’ve made a change to how SAML and OIDC sign-in redirections are handled. This update resolves a potential open redirection vulnerability and adds an extra layer of protection during the sign-in process.

Previously, when an account was set up to use only SAML or OIDC for sign-in, users were automatically redirected to the configured SSO URL without any intermediate steps.

However, this behavior could be misused. If an attacker managed to configure a malicious redirect URL as part of the SSO setup and sent that sign-in link to a user, the user could be unknowingly redirected to a harmful site, even if they don’t belong to the attacker’s organization.

To prevent this, we now display an intermediate screen (shown below) before redirecting user to the SSO URL. This screen clearly displays the Sign-in URL, giving user's visibility into the destination before proceeding.

If you have any questions or concerns, feel free to reach out to us at support@zohoaccounts.com