When running a Web Agent, one might like to know how to integrate it to use the CORS headers as seen in the Siteminder OIDC documentation section (1).

The browser reports a CORS error.

  http://<server name>.<domain name>.com/mysdweb/myapp/rest/1?timestamp/1?myVariable=1620654243697&mySession=41141

CORS error xhr

  Access to XMLHttpRequest at

    http://<server name>.<domain name>.com/mysdweb/myapp/rest/1?timestamp/1?myVariable=1620654243697&mySession=41141
  

From origin 'http://<server name>.<domain name>.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Web Agent 12.52SP1CR09 on Apache 2.4 on RedHat 6

At first glance, Web Agent doesn't support CORS header outside OIDC journey.

The ACO Parameter CORSConfiguration is implemented in CA Access Gateway (SPS) as described for only the OIDC journey (2).

An Idea has been submitted in the past (3), and it seems that users still can configure the Web Server to handle these CORS headers (4).

To get this parameter to be added to Web Agent 12.52SP1, we invite you to submit an Enhancement Request (Idea):

  1. Go to the "All Ideas" page :
     https://community.broadcom.com/ideation/allideas
  2. Click on the "Add" button.
  3. In the "Select categories...", select "SiteMinder".
  4. Write a title in the "title" box.
  5. Write a complete description of the Enhancement Request or
     Certification you'd like to post.
  6. Click on "Save" to get the Idea submitted!

(1)

    Cross-Origin Resource Sharing (CORS) Support for OIDC Endpoints

      Web browsers follow different security policies to mitigate
      security risks when they serve user requests. The same-origin
      policy is a commonly used policy that allows a browser on a
      domain to access only those resources that are available within
      the domain, that is, the browser can access only resources with
      the same origin. In some cases, the same-origin policy maybe
      restrictive when a user request requires different resources
      from different domains. For example, the same-origin policy
      forbids Single-Page Applications (SPAs) to access an OIDC
      Authorization Server that is present on another domain for OIDC
      requests.
    

(2)

    CORS Configuration in Administrative UI

      SiteMinder supports CORS using a new ACO parameter named
      CORSConfiguration in SPSDefaultSettings ACO template. The default
      template with new ACO parameter is shipped with Policy Server
      12.8.03.

      Note: The feature is supported only with Release 12.8.03 or higher
      Policy Server and Access Gateway.
      

(3)

    Ability to add HSTS and CORS headers to .fcc pages

      Even if we use generic method to add HSTS headers to web pages
      from IIS8.5 server, we are unable to add HSTS headers to .fcc
      pages.

      Now on IIS 10.0 adding the global header is now working - so maybe
      there is some change in that area.

      With the release of IIS 10.0 version 1709, HSTS is now supported natively.

        With the release of IIS 10.0 version 1709, HSTS is now supported
        natively.

      https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10-version-1709/iis-10-version-1709-hsts#iis-100-version-1709-native-hsts-support
    

(4)

    CORS on CA SPS Federation Gateway

      This fixed the CORS ISSUE:

      Header always set Access-Control-Allow-Origin: *
      Header always set Access-Control-Allow-Method: "POST, GET, OPTIONS, DELETE, PUT"
      Header always set Access-Control-Max-Age "1000"
      Header always set Access-Control-Allow-Headers: "x-requested-with, Content-Type, origin, authorization, accept, SMCHALLENGE"