Keycloak SAML: How to fix Preflight missing allow origin header without Web Origin setting?

I have a Keycloak SAML Identity Provider (IdP) and a backend (NodeJS) server each running on separate IPs/Hosts. Everything works great when I manually navigate to my backend login page. I’, redirected to Keycloak for login and then the SAML assertion is posed back to my backend callback page. But this doesn’t work for ajax calls.

The redirect to the Keycloak SAML IdP fails with a preflight “No Access-Control-Allow-Origin header present on requested resource” error. If we were using Open ID Connect (OIDC) then I could put my backend IP/Hostname into the Web Origins Setting, but that setting doesn’t exist in Keycloak SAML.

How can I add my backend server IP/Hostname to CORS in Keycloak SAML or otherwise send the Access-Control-Allow-Origin header I need?

That’s not a clever idea. SAML was not designed for Ajax calls. So you may hack this problem (primitive/insecure fix will be to add those headers on proxy level), but that will introduce others issues.

1 Like

My server is required to automatically call my SAML login page and then redirect → Keycloak login → Keycloak post → then complete at my server’s callback endpoint and continue.

It’s weird that OIDC has a setting for CORS and SAML doesn’t. Is there an underlying config file I can use to add my server to CORS or any other solution that works without manual navigation? I really appreciate any help.

Interestingly, if you export your client and look in the JSON file, you’ll find a webOrigins key. It looks to me as if Keycloak just automatically populates webOrigins with the rootUri, though that’s entirely speculation on my part. But you should be able to edit that file, then import as a new client, disable the old one, and see what happens.

@erickhagstrom Am facing a similar problem for not having weborgins config in keycloak console for SAML clients.
I have tried the way you mentioned to export and editing the client, but no luck.
The preflight request to IDP’s SAML endpoint is being blocked by CORS.
Any more clues on how to proceed?