Cross-Origin Resource Sharing error: Preflight Missing Allow Origin Header


My name is Tsvetelin and I am new to EDX development.

I am trying to implement OKTA integration by using EDX hosted login form (currently adopting EXD login form).

After submitting POST authentication request to OKTA (EDX login form submit), I try to redirect browser to OKTA authorisation URL, but browser cause " Cross-Origin Resource Sharing error: **PreflightMissingAllowOriginHeader"

Is the error caused by EDX CORS settings or it comes from OKTA CORS configuration?

Any help is warm welcome

Below I list request/response headers of the process

Thank you



  • 8000/user_api/v1/account/login_session/
  • Request Method: POST
  • Status Code: 302 Found
  • Remote Address: [::1]:18000
  • Referrer Policy: strict-origin-when-cross-origin
  • Response Headers
    • Access-Control-Allow-Credentials: true
    • Access-Control-Allow-Origin: http://localhost:18000
    • Content-Language: en
    • Content-Length: 0
    • Content-Type: text/html; charset=utf-8
    • Date: Tue, 24 Aug 2021 08:56:01 GMT
    • Location:…….
    • Server: WSGIServer/0.2 CPython/3.5.2
    • Set-Cookie: csrftoken=WMONMVsewzW5ey3zdf2enhNvm9Lme2d2Bo5dBmdjMiJ7zOgACBTzqGsF1vXwepNU; expires=Tue, 23 Aug 2022 08:56:01 GMT; Max-Age=31449600; Path=/; SameSite=Lax
    • Vary: Cookie, Accept, Accept-Language, Origin
    • X-Frame-Options: DENY


Hi @tsvetelin ! I’ve set up SAML auth with Okta and Open edX before, and here’s a sanitized version of the settings we used.

Open edX SAML settings

  • Enabled: Yes
  • Icon class: fa-sign-in
  • Icon image: None
  • Name: <Insert name here>
  • Slug: <Insert short name here>
    Must match the Default Relay State on the Okta application.
  • Secondary: No
  • Site: <Link to site entry>
  • Skip hinted login dialog: Yes
  • Skip registration form: No
  • Skip email verification: Yes
  • Send welcome email: Optional
  • Visible: Yes
  • Max session length (seconds): (blank)
  • Send to registration first: No
  • Sync learner profile data: Yes
  • Enable sso id verification: Yes
  • Backend name: tpa-saml
  • Enable automatic metadata refresh: Yes
  • Identity Provider Type: Standard SAML Provider
  • Advanced settings: {“PROVIDER_READ_ONLY_FIELDS”: [ “email”, “name” ]}

These values come from your Okta setup:

  • Entity ID:<okta app id>
  • Metadata source: https://<app-name><okta app id>/sso/saml/metadata
  • Debug mode: No

These attribute names must match those set up as “Attribute statements” in the Okta application:

  • User ID Attribute: username
  • Full Name Attribute: fullName
  • Default Value for Full Name: (blank)
  • First Name Attribute: firstName
  • Default Value for First Name: (blank)
  • Last Name Attribute: lastName
  • Default Value for Last Name: (blank)
  • Username Hint Attribute: username
  • Default Value for Username: (blank)
  • Email Attribute: email
  • Default Value for Email: (blank)

Open edX site configuration

These ansible variables must be set to allow cross-origin requests and CSRF cookies to be shared across domains.


Okta application SAML settings


  • Single Sign On URL: https://<lms url>/auth/complete/tpa-saml/
  • Recipient URL: https://<lms url>/auth/complete/tpa-saml/
  • Destination URL: https://<lms url>/auth/complete/tpa-saml/
  • Audience Restriction: https://<lms url>
  • Default Relay State: <Insert short name here>
    Must match the Slug on the Open edX SAML.
  • Name ID Format: Unspecified
  • Application username: Okta username
  • Update application username on: Create and update
  • Response: Signed
  • Assertion Signature: Signed
  • Signature Algorithm: RSA_SHA256
  • Digest Algorithm: SHA256
  • Assertion Encryption: Unencrypted
  • SAML Single Logout: Disabled
  • authnContextClassRef: PasswordProtectedTransport
  • Honor Force Authentication: Yes
  • Assertion Inline Hook: None (disabled)
  • SAML Issuer ID:${org.externalKey}

Attribute Statements

All “Name Formats” are Unspecified.

  • firstName: user.firstName
  • lastName: user.lastName
  • email: user.login
  • username: String.len(user.nickName) > 0 ? user.nickName : substringBefore(user.login, "@")
  • fullName: String.join(" ", user.firstName, user.lastName)

Group Attribute Statements


1 Like

@jinder_Singh noted that this setting is pretty unsafe to use – so better to explicitly specify a list of hosts to allow using EDXAPP_CORS_ORIGIN_WHITELIST: ["<app-name>", ...] instead, so I’ve amended my post above.