CORS support - SSO

SSO Server

CORS with credentials enabled

  • Access-Control-Allow-Credentials: true
  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: * 
EndpointDescription
/uas/refresh/*
The session refresh endpoint

CORS enabled

  • Access-Control-Allow-Methods: GET, POST
  • Access-Control-Allow-Origin: *
EndpointDescription
/uas/saml2/metadata.xml
/uas/wsf/FederationMetadata.xml
/uas/.well-known/*
/uas/oauth2/metadata.json
/uas/oauth2/metadata.jwks
Metadata endpoints for SAML 2.0, WS-Federation, OAuth 2.0 and OpenID Connect 1.0
/uas/discovery/*
/uas/template/*
/uas/resource/*
Discovery and Template API
/uas/status
/uas/ping
Status endpoints
/uas/oauth2/token
/uas/oauth2/userinfo
/uas/oauth2/introspection
/uas/oauth2/revocation

OAuth 2.0 and OpenID Connect 1.0 protocol endpoints

Cannot use client_secret_basic client credentials, other client credentials types are possible

Authorization endpoint is not CORS enabled

CORS disabled

For any other SSO Server endpoints, all CORS requests are blocked.

Password

All CORS requests are blocked.

Management Console

All CORS requests are blocked.

References