CORS support - SSO
SSO Server
CORS with authentication enabled
Resources that require to authenticate the user via Authentication header are by default allowed for all origins. How to restrict allowed origins, see Restricting allowed origins for CORS.
Access-Control-Allow-Headers: Authorization
- Access-Control-Expose-Headers: WWW-Authenticate
- Access-Control-Allow-Methods: GET, POST
- Access-Control-Allow-Origin: *
| Endpoint | Description |
|---|---|
/uas/oauth2/token | OAuth 2.0 and OpenID Connect 1.0 protocol endpoints Cannot use client_secret_basic client credentials, other client credentials types are possible Authorization endpoint is not CORS enabled |
CORS with credentials enabled
Resources that require to authenticate the user with credentials are by default allowed for all origins. How to restrict allowed origins, see Restricting allowed origins for CORS.
- Access-Control-Allow-Credentials: true
- Access-Control-Allow-Methods: GET, POST
- Access-Control-Allow-Origin: *
| Endpoint | Description |
|---|---|
/uas/refresh/* | The session refresh endpoint |
CORS enabled
- Access-Control-Allow-Methods: GET, POST
- Access-Control-Allow-Origin: *
| Endpoint | Description |
|---|---|
/uas/saml2/metadata.xml /uas/wsf/FederationMetadata.xml /uas/.well-known/* | Metadata endpoints for SAML 2.0, WS-Federation, OAuth 2.0 and OpenID Connect 1.0 |
/uas/discovery/* | Discovery and Template API |
/uas/status | Status endpoints |
CORS disabled
For any other SSO Server endpoints, all CORS requests are blocked.
Password
All CORS requests are blocked.
Management Console
All CORS requests are blocked.
Troubleshooting
You can verify the CORS configuration from the diagnostic logs, see Diag log description:
- set debug level for INIT for basic filter setup
- set debug level for
com.ubisecure.util.filter.CorsFilterfor more details