Skip to content

DRYD-2122: Disable CORS for SAML endpoints#543

Open
mikejritter wants to merge 1 commit into
collectionspace:mainfrom
mikejritter:bug/dryd-2122-sso-cors
Open

DRYD-2122: Disable CORS for SAML endpoints#543
mikejritter wants to merge 1 commit into
collectionspace:mainfrom
mikejritter:bug/dryd-2122-sso-cors

Conversation

@mikejritter

@mikejritter mikejritter commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

What does this do?
This uses a wildcard to disable cors so that IdPs can send different origins to cspace-services backend when performing sso.

Why are we doing this? (with JIRA link)
Jira: https://collectionspace.atlassian.net/browse/DRYD-2122

This is effecting SSO for one of the hosted clients where their IdP is sending an Origin header which is not allowed by the CORS settings of the server. This prevents the SSO login flow from completing.

How should this be tested? Do these changes have associated tests?

  • Follow the steps in the SSO Testing wiki page to setup an Auth0 instance (or use my configuration which I've added to the page)
    • I'm working on getting Keycloak to work locally as well. I ran into some issues and wanted to get this PR ready so I used Auth0.
  • Rebuild CollectionSpace with this PR
  • Add your service-config-sso.xml into the local cspace config directory.
  • Start CollectionSpace
  • For the endpoint which your SSO configuration is setup for, try the login and a non-4xx (specifically non-403 but a 401 also should not be returned) response
    • Note: the second curl exec here uses a host which resolves locally for me and should be replaced with something else
$ curl -i -X POST 'http://localhost:8180/cspace-services/login/saml2/sso/dev-auth0' \
 -H 'Origin: http://localhost:8080' \
 -H 'Content-Type: application/x-www-form-urlencoded' \
 --data 'SAMLResponse=x'
$ curl -i -X POST 'http://localhost:8180/cspace-services/login/saml2/sso/dev-auth0' \
 -H 'Origin: http://collectionspace.lan' \
 -H 'Content-Type: application/x-www-form-urlencoded' \
 --data 'SAMLResponse=x'
  • The Single Logout endpoint should be tested as well, as the IdP might be configured to redirect to it on logout (though tbh I don't know if the origin header would apply here). This is harder to check validity of so a non 403 response is ok.
$ curl -i -X POST 'http://localhost:8180/cspace-services/logout/saml2/slo' \
 -H 'Origin: http://localhost:8080' \
 -H 'Content-Type: application/x-www-form-urlencoded' \
 --data 'SAMLResponse=x'
$ curl -i -X POST 'http://localhost:8180/cspace-services/logout/saml2/slo' \
 -H 'Origin: http://collectionspace.lan' \
 -H 'Content-Type: application/x-www-form-urlencoded' \
 --data 'SAMLResponse=x'

Dependencies for merging? Releasing to production?
None

Has the application documentation been updated for these changes?
SSO or CORS documentation could potentially be updated.

Did someone actually run this code to verify it works?
@mikejritter tested locally... though against dev.

Have any new security vulnerabilities been handled?
n/a

@mikejritter
DRYD-2122: Disable CORS for sso and slo endpoints
a666ea1 
This uses a wildcard to disable cors so that IdPs can send
different origins to cspace-services backend when performing sso.
@mikejritter mikejritter requested a review from spirosdi June 17, 2026 23:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spirosdi spirosdi spirosdi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mikejritter @spirosdi