Reputation: 96
403 "Invalid CORS request" after a successfull SAML authentication
We are using spring security in our application (SP) to authenticate through a SAML IDP.
As expected accessing to the SP redirect to the IDP authentication form but after the successful authentication, POST of the SAML response to {myServerBase}/login/saml2/sso/{registrationId} in spring security fails with 403 "Invalid CORS request".
In the POST request, there is a http header "Origin: null" which seems to make spring CorsFilter to reject the SAML response.
We have this issue with 2 different SAML IDP we tested (Samling and Okta), we are using spring security 5.4.1
The only way to pass authentication with SAML is to disable CORS in spring security (but we would like cors activated) Are there any particular steps we would have missed to configure both cors and saml with spring security ?
Arnaud
Upvotes: 5
Views: 1366
Answers (1)
Reputation: 855
If you're using Jhipster and you see this issue:
In localhost the origin will be null and you will need to add the below to prevent the browser from blocking the requests.
jhipster:
cors:
allowed-origins:
- null
For environments other than localhost, you can replace null with your expected Origin URL.
Upvotes: 0
Related Questions
- Spring Security OAuth2 CORS issue for Authorization header
- Why Spring Security authentication causes CORS error
- CORS problems with spring boot security
- CORS not working for Spring Boot application in combination with Spring Security
- Spring Boot Security ignores cors configuration
- Spring Boot Rest Spring Security Authentication Issue with CORS
- Enabling CORS Spring issue with Spring Security
- HTTP Status 401 - Authentication Failed: Error decoding incoming SAML message
- Spring Security - Simple CORS authentication error
- getting CORS error with SAML 2.0