Cross-Origin Resource Sharing (CORS) Configuration
  • 21 Feb 2024
  • 2 Minutes to read
  • Dark
    Light

Cross-Origin Resource Sharing (CORS) Configuration

  • Dark
    Light

Article summary

Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing (CORS) is a mechanism that controls the access to web page resources from domains other than the domain serving the page and can be configured in RapidIdentity by tenant administrators to restrict access at a more granular level than the default settings. 

Use the following instructions to modify the CORS setting in RapidIdentity.

WARNING
Incorrect CORS configuration settings can restrict all access to RapidIdentity, even Tenant and System Administrator access. Changes to the default CORS settings should only be made by administrators with a thorough understanding of Cross-Origin Resource Sharing configuration.

Consult the following resources for information regarding Cross-Origin Resource Sharing (CORS):

Tenant and System Administrators can modify CORS settings in RapidIdentity by navigating to Configuration > General > Settings > CORS in the RapidIdentity Portal. Click Save when each subsection has been updated as desired.

Allowed Methods

The Allowed Methods section lists HTTP request methods that can be used to access resources using cross-origin requests and defines the methods to be included in the Access-Control-Allow-Methods header in pre-flight responses.

Default Values: GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS

CORS_-_Allowed_Methods.png

Allowed Headers

The Allowed Headers section lists HTTP request headers that can be used when making cross-origin requests. These headers will also be returned in the Access-Control-Allow-Headers header in pre-flight responses.

Default Values: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, idauto.debug, X-idauto-debug, Authorization

CORS_-_Allowed_Headers.png

Allowed Origins

The Allowed Origins section lists all origins allowed to access resources on the server using cross-origin requests. A value of * indicates that resources are allowed to be accessed from any origin.


NOTES:
  1. * is not secure; Identity Automation recommends including an accurate domain value during initial configuration.
  2.  If configuring RapidIdentity for SAML authentication against an Identity Provider in a different domain, that domain may require being added as Allowed Origin. The Allowed Origin value should be formatted as https://identity_provider_domain.

Exposed Headers

The Exposed Headers section lists all headers other than simple response headers that browsers will be allowed to access. These are the headers which will be included in the Access-Control-Expose-Headers header in pre-flight responses.

Default Value: [blank]

CORS_-_Exposed_Headers.png

Max Age (seconds)

The Max Age subsection defines the number of seconds a browser is allowed to cache the result of a pre-flight request. This will be included as the Access-Control-Max-Age header in pre-flight responses. A negative value will prevent the header from being included in pre-flight responses.

Default Value: 1800

CORS_-_Max_Age.png

Supports Credentials

The Supports Credentials option, when checked, responds to browser requests with Allow Credentials in order to improve security on cross-origin requests.

Default Value: [blank]

Supports_Credentials_-_Both_platforms.jpg

Custom crossdomain.xml

A cross-domain policy file is an XML document that grants a Flash Player client permission to handle data across domains. To populate this subsection, simply cut and paste the code for the desired cross-domain policy .xml file.

Default Value: [blank]

CORS_-_Custom_crossdomain_xml.png

NOTE:

The default crossdomain.xml file served by the RapidIdentity server is constructed from the rest of the CORS configuration as described above. A custom crossdomain.xml value should only be required if the default is not sufficient.

The default crossdomain.xml file can be accessed in a browser at https://[rapididentity_domain]/crossdomain.xml.













Was this article helpful?

ESC

Eddy AI, facilitating knowledge discovery through conversational intelligence