RapidIdentity Administrators' and Users' Guide


Global CORS configuration for all RapidIdentity instances is stored in the database. These properties only need to be defined in rapididentity.properties if this particular instance of RapidIdentity needs to be configured differently from other instances. If these are defined, they take precedence over those defined globally in the database.

For each of the sections, the default values have been set. To add a new value to a section, simply click the Add button and enter the new desired value into the resulting field. To remove a value, simply click the X next to it.

Allowed Methods

The Allowed Methods section lists HTTP request methods that can be used to access resources using cross-origin requests, and defines the methods to be included in the Access-Control-Allow-Methods header in pre-flight responses.



Allowed Headers

The Allowed Headers section lists HTTP request headers that can be used when making cross-origin requests. These headers will also be returned in the Access-Control-Allow-Headers header in pre-flight responses.

Default Values: Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, idauto.debug, X-idauto-debug, Authorization


Allowed Origins

The Allowed Origins section lists all origins allowed to access resources on the server using cross-origin requests. A value of * indicates that resources are allowed to be accessed from any origin.


* is not secure; Identity Automation recommends including an accurate domain value during initial configuration. If other values are added, make sure to remove the * value from the list; otherwise, it will override any non-* values and they will not save as expected.


If configuring RapidIdentity for SAML authentication against an Identity Provider in a different domain, that domain may require being added as Allowed Origin. The Allowed Origin value should be formatted as https://identity_provider_domain.

Default Value: *


Exposed Headers

The Exposed Headers section lists all headers other than simple response headers that browsers will be allowed to access. These are the headers which will be included in the Access-Control-Expose-Headers header in pre-flight responses.

Default Value: [blank]


Max Age (seconds)

The Max Age subsection defines the number of seconds a browser is allowed to cache the result of a pre-flight request. This will be included as the Access-Control-Max-Age header in pre-flight responses. A negative value will prevent the header from being included in pre-flight responses.

Default Value: 1800


Supports Credentials


This option, when checked, responds to browser requests with Allow Credentials in order to improve security on cross-origin requests.

Custom crossdomain.xml

A cross-domain policy file is an XML document that grants a Flash Player client permission to handle data across domains. More information on crossdomain.xml files is available here. To populate this subsection, simply cut and paste the code for the desired cross-domain policy .xml file.


The default crossdomain.xml file served by the RapidIdentity server is constructed from the rest of the CORS configuration as described above. A custom crossdomain.xml value should only be required if the default is not sufficient.

The default crossdomain.xml file can be accessed in a browser at https://[rapididentity_domain]/crossdomain.xml.

Default Value: [blank]


When each subsection has been populated as desired, click Save.