Despite having defined the ACO parameter
allowed-origins=REPLICATE_ORIGIN
for CORS, when attempting a userinfo request via Oauth the following CORS error message is returned in the browser
XMLHttpRequest access to 'https://<sps_server>/affwebservices/CASSO/oidc/userinfo' from source 'https://<my_web_server>' was blocked by CORS policy: Preflight request response fails access control: 'Access-Control-Allow-Origin' header value in response must not be wildcard '*' when request credentials mode is 'include'. The credentials mode of requests initiated by XMLHttpRequest is controlled by the withCredentials attribute.
vendor-es2019.11d4dc3d264e74852a.js:1 error loading user info T {headers: d, status: 0, statusText: 'Unknown Error', url: 'https://<sps_server>/affwebservices/CASSO/oidc/userinfo', ok: false, ...}
CA SiteMinder 12.8 SP03 and later
This may be caused by having defined
Header set Access-Control-Allow-Origin "*"
in the web server local httpd.conf and having enabled the CORS module there
Under these conditions the local * setting will override the setting passed by the ACO and this error may occur due to this setting conflicting with other CORS headers defined
If the CORS ACO settings are defined, make sure there is no local CORS module enabled which may override them