As long as IG and AM are hosted under the same origin – which is the scheme, domain, (subdomains included) and port – the SDK will support transactional authorization. The reason for this is the redirect that the SDK has to follow from IG to AM when IG is enforcing additional login according to a policy. This redirect cannot be from one origin (for example, https://IG.example.com) to a different origin (for example, https://AM.example.com), which is referred to as an external redirect . If the origins are different, the request will fail CORS.
This limitation does not apply to RESTful resource servers with which the SDK interacts directly, as long as the server responds with the JSON sent to it by AM. When the SDK detects this JSON response from the resource, it constructs its own request to AM separately, which will not be blocked by CORS.