Reverse Proxy SSO to Identity Applications and CSP directive

I don't know if this is the most appropriate forum, or should this be a question for the IDM community. It seemed more related to NAM to me.

We are protecting the IDM Identity Applications by Reverse Proxy SSO.
The Form Fill does not work. If we enable the policy the browser goes blank showing the following error:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-lX56t1uoj4W1LxBkrqidsw=='". Either the 'unsafe-inline' keyword, a hash ('sha256-lty0hjNh1LkVQJgoWjk0XZSkEZw6mSwZ+CqO0tW3wBA='), or a nonce ('nonce-...') is required to enable inline execution.

Has anyone encountered the same problem and know how to fix it?

Regards

Labels:

Access Manager
Parents
  • 0  

    Hi!

    AM form fill injects javascript into form itself, and based on error you get IDM apps forbids this by setting CSP.

    So you can either change/loosen CSP policy on IDM apps (probably ContentSecurityPolicy filter in tomcat's web.xml) or change SSO approach.

    I would suggest to change SSO to federation. You can still protect IDM apps with reverse proxy, but ditch formfill and configure SAML.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

Reply
  • 0  

    Hi!

    AM form fill injects javascript into form itself, and based on error you get IDM apps forbids this by setting CSP.

    So you can either change/loosen CSP policy on IDM apps (probably ContentSecurityPolicy filter in tomcat's web.xml) or change SSO approach.

    I would suggest to change SSO to federation. You can still protect IDM apps with reverse proxy, but ditch formfill and configure SAML.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

Children
  • 0 in reply to   

    Thanks Sebastijan. The problem is in the javascript that injects the form fill.
    Normally we do federation over SAML, but in this case, we prefer SSO over Form Fill.
    The problem is that I can't find information anywhere on how to define that filter in the web.xml.
    An integration like NAM and IDM should be more than documented. But it seems not.