PingFederate Server

Configuring administrative API CORS settings

About this task

Enabling cross-origin resource sharing (CORS) allows applications to make requests of PingFederate administrative API endpoints. You can define the domains of applications that are permitted to make CORS requests.

By default, CORS can accept the following request types:

  • GET

  • PUT

  • POST

  • DELETE

Requests can use the following headers:

  • X-XSRF-Header

  • Content-Type

  • Accept

  • Origin

  • Authorization

You can modify these settings at <pingfed-install>/server/default/data/admin-api.config.xml.

The following are some example Allowed Origins entries and their behaviors:

https://www.example.com

CORS requests originating from https://www.example.com are allowed.

https:www.example.com:8080

CORS requests originating from https://www.example.com:8080 are allowed.

https://www.example.com:*

CORS requests originating from any port on https://www.example.com are allowed. However, a port number is required in the Origin request header.

Add only specific, trusted domains. Using a wildcard or overly broad domain pattern introduces a high risk of unauthorized administrative actions. Also, unauthorized users can exploit unrestricted preflight requests to overwhelm the server, leading to a potential Denial-of-Service (DoS) attack.

Steps

  1. Go to System > Adminstrative API > CORS Settings.

  2. To enable CORS requests, select Enable CORS.

  3. To add permitted CORS domains:

    1. Click Add.

    2. Enter a domain name in the Allowed Origins field.

  4. Click Save.