How to make ajax CORS requests to shibboleth protected rest api?

Luke Palnau lpalnau at
Wed May 27 14:23:09 EDT 2015

We're trying to integrate our (optional shibboleth login) non-prod website
on with our new non-prod (shibboleth
protected) rest api on and are finding that
the website's ajax requests are getting not authorized responses (403s)
from the new api.

We've gotten public endpoints from the new api to work with the non-prod
website, but we're thinking the CORS ajax requests probably need additional
headers on them to be able to access the shibboleth protected endpoints.
Has anyone already figured this out? We'd really appreciate any advice on

Our aim is to have the non-prod website keep the admin pages, but move the
api endpoints it relies on to a new api. Ultimately if CORS ajax is not
supported by shibboleth we may have to move the admin pages to the same
domain as the new api, but we are trying to avoid that move because the
website has a lot of public pages also that we don't want to separate or
lose the known public domain name.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list