Skip to main content

Cross-Origin Resource Sharing (CORS)

By default, for security reasons, the SCIM interface is published for any server application, but not for client-side (javascript) applications.

In order to allow client-side applications to query or modify SCIM objects, the CORS protocol states how to define the restrictions that apply to client-side applications. CORS settings can be tuned adding two parameters:

ParameterValue
soffid.scim.cors.origin

Set a comma separated list of DNS domains allowed to perform SCIM operations.

Set to * to allow access from any domain

soffid.scim.cors.methods

Set a comma-separated list of allowed operations.

By default, it is set to GET, OPTIONS, HEAD

To allow any operation, set it to GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD

 

These parameters can be changed in real-time for any tenant. Mind that setting these values for the master tenant applies to master tenant, but also applies as default values for any child tenant.