Cross-Origin Resource Sharing error: Preflight Missing Allow Origin Header

Hi @tsvetelin ! I’ve set up SAML auth with Okta and Open edX before, and here’s a sanitized version of the settings we used.

Open edX SAML settings

  • Enabled: Yes
  • Icon class: fa-sign-in
  • Icon image: None
  • Name: <Insert name here>
  • Slug: <Insert short name here>
    Must match the Default Relay State on the Okta application.
  • Secondary: No
  • Site: <Link to site entry>
  • Skip hinted login dialog: Yes
  • Skip registration form: No
  • Skip email verification: Yes
  • Send welcome email: Optional
  • Visible: Yes
  • Max session length (seconds): (blank)
  • Send to registration first: No
  • Sync learner profile data: Yes
  • Enable sso id verification: Yes
  • Backend name: tpa-saml
  • Enable automatic metadata refresh: Yes
  • Identity Provider Type: Standard SAML Provider
  • Advanced settings: {“PROVIDER_READ_ONLY_FIELDS”: [ “email”, “name” ]}

These values come from your Okta setup:

  • Entity ID: http://www.okta.com/<okta app id>
  • Metadata source: https://<app-name>.oktapreview.com/app/<okta app id>/sso/saml/metadata
  • Debug mode: No

These attribute names must match those set up as “Attribute statements” in the Okta application:

  • User ID Attribute: username
  • Full Name Attribute: fullName
  • Default Value for Full Name: (blank)
  • First Name Attribute: firstName
  • Default Value for First Name: (blank)
  • Last Name Attribute: lastName
  • Default Value for Last Name: (blank)
  • Username Hint Attribute: username
  • Default Value for Username: (blank)
  • Email Attribute: email
  • Default Value for Email: (blank)

Open edX site configuration

These ansible variables must be set to allow cross-origin requests and CSRF cookies to be shared across domains.

EDXAPP_FEATURES:
  ENABLE_CROSS_DOMAIN_CSRF_COOKIE: true
EDXAPP_CROSS_DOMAIN_CSRF_COOKIE_NAME: "okta-csrftoken"
EDXAPP_CROSS_DOMAIN_CSRF_COOKIE_DOMAIN: " .\<app-name>.oktapreview.com"
EDXAPP_CSRF_COOKIE_SECURE: true
# EDXAPP_CORS_ORIGIN_ALLOW_ALL: true  # unsafe
EDXAPP_CORS_ORIGIN_WHITELIST: ["<app-name>.oktapreview.com"]

Okta application SAML settings

General

  • Single Sign On URL: https://<lms url>/auth/complete/tpa-saml/
  • Recipient URL: https://<lms url>/auth/complete/tpa-saml/
  • Destination URL: https://<lms url>/auth/complete/tpa-saml/
  • Audience Restriction: https://<lms url>
  • Default Relay State: <Insert short name here>
    Must match the Slug on the Open edX SAML.
  • Name ID Format: Unspecified
  • Application username: Okta username
  • Update application username on: Create and update
  • Response: Signed
  • Assertion Signature: Signed
  • Signature Algorithm: RSA_SHA256
  • Digest Algorithm: SHA256
  • Assertion Encryption: Unencrypted
  • SAML Single Logout: Disabled
  • authnContextClassRef: PasswordProtectedTransport
  • Honor Force Authentication: Yes
  • Assertion Inline Hook: None (disabled)
  • SAML Issuer ID: http://www.okta.com/${org.externalKey}

Attribute Statements

All “Name Formats” are Unspecified.

  • firstName: user.firstName
  • lastName: user.lastName
  • email: user.login
  • username: String.len(user.nickName) > 0 ? user.nickName : substringBefore(user.login, "@")
  • fullName: String.join(" ", user.firstName, user.lastName)

Group Attribute Statements

None.

2 Likes