SecureAuth Idp Version affected: All
Description:
When trying to set up an OIDC based Service Provider, the follow error is seen
Access to XMLHttpRequest at 'https://sauth.example.com/SecureAuth4/SecureAuth.aspx' from origin 'https://mysp.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Cause:
The SP's XMLHttpRequest expects there to be CORS headers in place.
Resolution:
You can add this to SecureAuth by installing the IIS CORS module on the IdP.
1. Install the IIS CORS module from here: https://www.iis.net/downloads/microsoft/iis-cors-module
2. Open the SecureAuth Web Admin console, navigate to the System Info tab of your OpenID realm and click "Decrypt"
3. Take a backup of the web.config of your OpenID/Oauth realm
4. Edit the Web.config and add the cors headers that you need.
You can specifically add the cors module to specific paths by adding a <location path=””> header to the bottom of the web.config before the </configuration> close. For example:
…
<location path="secureauth.aspx">
<system.webServer>
<cors enabled="true" failUnlistedOrigins="true">
<add origin="https://mysp.example.com" >
… other settings as needed here see https://docs.microsoft.com/en-us/iis/extensions/cors-module/cors-module-configuration-reference#cors-configuration.
</add>
<add origin="https://idp.example.com" >
… other settings as needed here see https://docs.microsoft.com/en-us/iis/extensions/cors-module/cors-module-configuration-reference#cors-configuration.
</add>
</cors>
</system.webServer>
</location>
</configuration>
Please note, If you wish to add these Cors settings for the whole Realm instead of using the location tabs, you will need to find the pre-existing <system.webServer> section, outside of any location tag.
If you simply add your own system.webServer section it may get wiped out on the next save.
We recommend using the location method so that you are properly scoping the CORS headers. You will need to locations for the default SecureAuth.aspx endpoint and any of the other endpoints you plan on using for your OIDC/OAUTH flow.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
This solution does not work. As soon as you save the web.config with the solution above, you will get an IIS configuration error stating:
path attribute must be a relative virtual path. It cannot start with any of ' ' '.' '/' or '\'
This is because it won't accept the location path as valid as it starts with a dot.
Jose, you're correct, it's a bad example.
I'll edit it to use a more valid example at some point.
For .Well-known you'd want to create a folder with that name and then create a small web.config in there which contains the settings you need.
Will the above solution work for below error? They seem similar but just wanted to confirm.
Access to XMLHttpRequest at 'https://mfapl.bestbuy.com/secureauth863/restart.aspx' (redirected from 'http://localhost:36576/EnterpriseCaseTypes/Get?_=1592584059806') from origin 'http://localhost:36576' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Also, seeing same error for SAML SP Init flow. Will it work for that too? if yes, what should be the location tag here since its the /secureauthxx/?SAMLRequest=sdsdsd.... url load which is causing this error?
Hello Akhilesh,
People often find adding a static header in IIS easier to implement.
For example, using this KB https://support.secureauth.com/hc/en-us/articles/360024990452-Access-to-XMLHTTPRequest-has-been-blocked-by-CORS-policy
Simply change the attribute from the one in the example to Access-Control-Allow-Origin.
For more help on this, please raise a case.
Thanks
Do I need to install this package on my local machine or on the secureauth box?
Please sign in to leave a comment.