Redirect and SSH URL Hardening
Use this page to restrict redirect endpoints and bastion callback URLs to approved destinations.
These controls reduce the risk of endpoint spoofing, unsafe callback routing, and user-supplied URL abuse in portal-assisted access flows.
Bastion Redirect Allowlists
For Gateway remote access configuration, use bastion URL allowlists:
akeyless gateway update remote-access \
--allowed-urls https://<BASTION_URL_1>,https://<BASTION_URL_2> \
--gateway-url https://<YOUR_AKEYLESS_GW_URL>:8000In Zero Trust Web Access (ZTWA) deployment configuration, allowlist controls include:
dispatcher.config.allowedBastionUrlsdispatcher.config.allowedProxyUrls
For requirements context, see SRA Requirements.
Authentication Method Redirect URIs
Authentication methods also have redirect restrictions. For example, SAML and OIDC auth methods support --allowed-redirect-uri configuration.
These redirect URI controls are separate from SRA bastion allowlists and should be configured consistently.
For auth method reference, see CLI Reference - Auth.
SSH Endpoint Hardening Context
For SSH-based SRA, combine URL allowlists with host restrictions on SSH Certificate Issuers and approved bastion endpoint configuration.
For host restriction controls, see SSH Access and SSH Certificates.
Validation Checklist
- Define allowed bastion URLs in Gateway configuration.
- Define allowed proxy URLs for ZTWA dispatcher where applicable.
- Verify authentication method redirect URIs are restricted.
- Confirm user-provided endpoints outside allowlists are rejected.