Some relying parties may do CORS (Cross-Origin Resource Sharing) pre-flight requests towards the IdP. This page discuss some alternatives how they can be handledfor handling that.
Java
...
Servlet Container
At least Jetty and Tomcat have their own Filter implementations for handling CORS requests:
...
Spring CORS configuration
IdP supports this style since version 4V4.2 provides a native/proprietary mechanism for supporting this via Spring. A global bean called shibboleth.CorsConfigurations may contain a map of org.springframework.web.cors.CorsConfiguration declarations, where the key of each entry corresponds to the locations under the <context>/profile URL space tree (e.g., /oidc/token is mapped to correponds with https://idp.example.org/idp/profile/oidc/token).
By default, the map is not defined and thus Spring doesn’t do provide any CORS handling.
The following example contains an example that activates the Spring CORS handling for the OP - plugin’s token -endpoint:
...