Okta and Sitecore CMS List Manager


We have integrated Okta for authenticating Sitecore CMS using the OpenIDConnect, however specifically while navigating to the attached Sitecore’s List Manager screen, we encounter the resulting issue as shown in the attachment. Hence to resolve this issue, we refered to below URL and added the “trusted origin for CORS”, however still we aren’t able to get rid of this issue.

Issue seems to be, the response header not getting appended with “Access-Control-Allow-Origin” property in the response of the authorize web API. Hence can you please add with “Access-Control-Allow-Origin” to response header while returning for authorize Web API?

Please help.


I need a little more information here.

What is Sitecore CMS doing here? Attempting to redirect the user to login? Or use javascript to attempt to get tokens? Are you trying to implement some sort of silent-type of authentication here?

I think it is the latter but wanted to confirm. If the user is already logged in, you should already have access to the tokens in your application.

It is an antipattern to attempt to use the authorize route using XHR.

Hi Tom,

Here we are authenticating Sitecore CMS with Okta SSO, once authentication happens we are able to access all the screens of Sitecore CMS - however we weren’t able to access the List Manager screen as the product itself redirects to okta instead of authenticating.

Reason being the ItemServiceController (Web Api) is a sealed class - which doesn’t have the Cors enabled for the Web Api method called from List Manager screen. Hence its failing.


Hey Edison,

I’m familiar with Web API but not with Sitecore. Can you help me understand why the List Manager is using a different type of authentication than the rest of Sitecore? I suspect this is not really a CORS issue, but something not using the correct authentication mechanism.

Hi Nate,

Thanks for your response. Here the list manager in Sitecore CMS uses an API to show the Subscribed/Unsubscribed lists. The issue with this API is that it immediately redirects to Okta than doing the authentication inherently. Hence they don’t have the corresponding response headers for authorization.


How did you get the SSO between Sitecore and Okta working? Can you share that configuration?

If you’re able to get a token from Okta via OIDC for the Sitecore app, is there a reason why the list manager section can’t use the same token for authorization?

Here are the steps we used to integrate Okta with Sitecore CMS:

Yes , though we has the token, sitecore API doesn’t authenticate using the token, instead it simply redirects to Okta. And then, seeing that Okta is of different Origin the control doesn’t come back to Sitecore CMS to display the list in List Manager, this is where the problem lies.