Share via

login.microsoftonline.com CORS because of missing Access-Control-Allow-Origin header

Martin 5 Reputation points
2024-08-27T15:13:11.48+00:00

We use MS Entra for SSO and we have a problem when our application/tools tries to initiate SAML exchange with login.microsoftonline.com We see CORS errors. I assume it's because origin domain is different than https://login.microsoftonline.com/...

Is there any way how to whitelist that origin domain by forcing login.microsoftonline.com send out Access-Control-Allow-Origin header with our origin domain as response to SAML request.

Entity ID, Reply URL & Sign-on URL is set in Single sign-on/Basic SAML Configuration in MS Entra.

Is there anything else missing or any reason why login.microsoftonline.com doesn't reply with Access-Control-Allow-Origin header in SAML response?

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 27,211 Reputation points Microsoft Employee Moderator
    2024-08-30T22:22:58.6+00:00

    Hi @Martin , unfortunately you cannot whitelist your origin domain by forcing login.microsoftonline.com to send out the Access-Control-Allow-Origin header with your origin domain as a response to the SAML request. This is because the Access-Control-Allow-Origin header is controlled by the server, and it is up to the server to decide which domains are allowed to access its resources.

    Have you seen this thread? It may help you with some solutions.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.