When running a Web Agent, one might like to know how to integrate it
to use the CORS headers as seen in Siteminder OIDC documentation
The browser reports CORS error.
CORS error xhr
Access to XMLHttpRequest at
from origin 'http://myserver.mydomain.com' has been blocked by CORS
policy: No 'Access-Control-Allow-Origin' header is present on the
Web Agent 12.52SP1CR09 on Apache 2.4 on RedHat 6
At first glance, Web Agent doesn't support CORS header outside OIDC
The CORSConfiguration is implemented in CA Access Gateway (SPS) as
described for only OIDC journey (2).
An Idea has been submitted in the past (3), and it seems that you still
can configure the Web Server to handle these CORS headers (4).
In order to get this parameter to be added to Web Agent 12.52SP1, we
invite you to submit an Enhancement Request (Idea) :
1. Go to the "All Ideas" page :
2. Click on the "Add" button.
3. In the "Select categories...", select "Layer7 Access Management".
4. Write a title in the "title" box.
5. Write a complete description of the Enahcement Request or
Certification you'd like to post.
6. Click on "Save" to get the Idea submitted !
Cross-Origin Resource Sharing (CORS) Support for OIDC Endpoints
Web browsers follow different security policies to mitigate
security risks when they serve user requests. The same-origin
policy is a commonly used policy that allows a browser on a
domain to access only those resources that are available within
the domain, that is, the browser can access only resources with
the same origin. In some cases, the same-origin policy maybe
restrictive when a user request requires different resources
from different domains. For example, the same-origin policy
forbids Single-Page Applications (SPAs) to access an OIDC
Authorization Server that is present on another domain for OIDC
CORS Configuration in Administrative UI
SiteMinder supports CORS using a new ACO parameter named
CORSConfiguration in SPSDefaultSettings ACO template. The default
template with new ACO parameter is shipped with Policy Server
Note: The feature is supported only with Release 12.8.03 or higher
Policy Server and Access Gateway.
Ability to add HSTS and CORS headers to .fcc pages
Even if we use generic method to add HSTS headers to web pages
from IIS8.5 server, we are unable to add HSTS headers to .fcc
Now on IIS 10.0 adding the global header is now working - so maybe
there is some change in that area.
With the release of IIS 10.0 version 1709, HSTS is now supported natively.
With the release of IIS 10.0 version 1709, HSTS is now supported
CORS on CA SPS Federation Gateway
This fixed the CORS ISSUE:
Header always set Access-Control-Allow-Origin: *
Header always set Access-Control-Allow-Method: "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers: "x-requested-with, Content-Type, origin, authorization, accept, SMCHALLENGE"