Reverse Proxy SSO to Identity Applications and CSP directive

I don't know if this is the most appropriate forum, or should this be a question for the IDM community. It seemed more related to NAM to me.

We are protecting the IDM Identity Applications by Reverse Proxy SSO.
The Form Fill does not work. If we enable the policy the browser goes blank showing the following error:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-lX56t1uoj4W1LxBkrqidsw=='". Either the 'unsafe-inline' keyword, a hash ('sha256-lty0hjNh1LkVQJgoWjk0XZSkEZw6mSwZ+CqO0tW3wBA='), or a nonce ('nonce-...') is required to enable inline execution.

Has anyone encountered the same problem and know how to fix it?

Regards

  • 0  

    Hi!

    AM form fill injects javascript into form itself, and based on error you get IDM apps forbids this by setting CSP.

    So you can either change/loosen CSP policy on IDM apps (probably ContentSecurityPolicy filter in tomcat's web.xml) or change SSO approach.

    I would suggest to change SSO to federation. You can still protect IDM apps with reverse proxy, but ditch formfill and configure SAML.

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Thanks Sebastijan. The problem is in the javascript that injects the form fill.
    Normally we do federation over SAML, but in this case, we prefer SSO over Form Fill.
    The problem is that I can't find information anywhere on how to define that filter in the web.xml.
    An integration like NAM and IDM should be more than documented. But it seems not.

  • 0

    Hi,

    same problem here - is there any solution for this, yet?

    Switch SSO to federation is not really an option for our environment as user application is completely protected by NAM, also with a long-life self-signed certificate in the backend and osp does an internal redirect to hostname and port and so the customer will get certificate error in browser. the cert is also included in different places, hosts and keystores which makes it more difficult to change our configuration.

    Regards,
    Andreas