OpenID error: Blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.


SecureAuth Idp Version affected: All

When trying to set up an OIDC based Service Provider, the follow error is seen

Access to XMLHttpRequest at '' from origin '' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.


The SP's XMLHttpRequest expects there to be CORS headers in place.


You can add this to SecureAuth by installing the IIS CORS module.


1. Install the IIS CORS module from here:

2. Open the SecureAuth Web Admin console, navigate to the System Info tab of your OpenID realm and click "Decrypt"

3. Take a backup of the web.config of your OpenID/Oauth realm

4. Edit the Web.config and add the cors headers that you need.

You can specifically add the cors module to specific paths by adding a <location path=””> header to the bottom of the web.config before the </configuration> close. For example:

<location path=”.well-known/openid-configuration”>
    <cors enabled=”true” failUnlistedOrigins=”true”>
      <add origin=”” >
        … other settings as needed here see



Please note, You can also add cors to all of the endpoints by using the system.webServer bits outside of a location tag at the bottom of the web.config before the </configuration> closing tag. However, we recommend using the location method described above so that you are properly scoping the CORS headers. You will need to add locations for not just the .well-known endpoint, but the default SecureAuth.aspx endpoint and any of the other endpoints you plan on using for your OIDC/OAUTH flow.

SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

0 out of 0 found this helpful



Please sign in to leave a comment.