Shib with REST and AJAX Best Practices

Peter Schober peter.schober at
Tue Sep 13 14:05:26 BST 2011

* Russell J Yount <rjy at> [2011-09-13 14:17]:
> We have some developers here using REST and AJAX together with
> Shibboleth. The problem of the Javascript not understanding the 302
> redirects that shibboleth uses when re-authenticating has come up.

Not sure what setup/scernario exactly you have in mind but for REST as
in "non-browser access to shib proteced resources" the usual answer is
to not use the SAML profile explicitly designed for web browser
access, but use ECP instead.

> <Sessions lifetime="28800" timeout="86400" checkAddress="false" relayState="ss:mem" handlerSSL="true">
> The key here is setting the lifetime value lower than the timeout
> value.

Sounds a bit like Voodoo. Lifetime specifies is an upper limit for the
session to be valid, timeout an inactivity limit between requests for
the session to remain active. If the upper limit is lower than the
inactivity limit you're simple not making use of the latter (and might
as well disable the check with timeout="0", like the documentation

More information about the users mailing list