CORS support - SSO
SSO Server
CORS with credentials enabled
As of Identity Server 8.3.2 any resources that are shared across origins and require to authenticate the user are disabled by default as their allowed origins are required to be declared explicitly..
- Access-Control-Allow-Credentials: true
- Access-Control-Allow-Methods: GET, POST
- Access-Control-Allow-Origin: https://www.example.com
Endpoint | Description |
---|---|
/uas/refresh/* | The session refresh endpoint |
CORS enabled
- Access-Control-Allow-Methods: GET, POST
- Access-Control-Allow-Origin: *
Endpoint | Description |
---|---|
/uas/saml2/metadata.xml /uas/wsf/FederationMetadata.xml /uas/.well-known/* | Metadata endpoints for SAML 2.0, WS-Federation, OAuth 2.0 and OpenID Connect 1.0 |
/uas/discovery/* | Discovery and Template API |
/uas/status | Status endpoints |
/uas/oauth2/token | OAuth 2.0 and OpenID Connect 1.0 protocol endpoints Cannot use client_secret_basic client credentials, other client credentials types are possible Authorization endpoint is not CORS enabled |
CORS disabled
For any other SSO Server endpoints, all CORS requests are blocked.
Password
All CORS requests are blocked.
Management Console
All CORS requests are blocked.
References
This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2024. All Rights Reserved.