Cross-Origin Resource Sharing (CORS)
By default, for security reasons, the SCIM interface is published for any server application, but not for client-side (javascript) applications.
In order to allow client-side applications to query or modify SCIM objects, the CORS protocol states how to define the restrictions that apply to client-side applications. CORS settings can be tuned adding two parameters:
| Parameter | Value |
| soffid.scim.cors.origin |
Set a comma separated list of DNS domains allowed to perform SCIM operations. Set to * to allow access from any domain |
| soffid.scim.cors.methods |
Set a comma-separated list of allowed operations. By default, it is set to GET, OPTIONS, HEAD To allow any operation, set it to GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD
|
These parameters can be changed in real-time for any tenant. Mind that setting these values for the master tenant applies to master tenant, but also applies as default values for any child tenant.