Keycloak SAML: How to fix Preflight missing allow origin header without Web Origin setting?

I have a Keycloak SAML Identity Provider (IdP) and a backend (NodeJS) server each running on separate IPs/Hosts. Everything works great when I manually navigate to my backend login page. I’, redirected to Keycloak for login and then the SAML assertion is posed back to my backend callback page. But this doesn’t work for ajax calls.

The redirect to the Keycloak SAML IdP fails with a preflight “No Access-Control-Allow-Origin header present on requested resource” error. If we were using Open ID Connect (OIDC) then I could put my backend IP/Hostname into the Web Origins Setting, but that setting doesn’t exist in Keycloak SAML.

How can I add my backend server IP/Hostname to CORS in Keycloak SAML or otherwise send the Access-Control-Allow-Origin header I need?

That’s not a clever idea. SAML was not designed for Ajax calls. So you may hack this problem (primitive/insecure fix will be to add those headers on proxy level), but that will introduce others issues.

My server is required to automatically call my SAML login page and then redirect → Keycloak login → Keycloak post → then complete at my server’s callback endpoint and continue.

It’s weird that OIDC has a setting for CORS and SAML doesn’t. Is there an underlying config file I can use to add my server to CORS or any other solution that works without manual navigation? I really appreciate any help.