How to make ajax CORS requests to shibboleth protected rest api?

Cantor, Scott cantor.2 at
Wed May 27 14:50:12 EDT 2015

On 5/27/15, 2:23 PM, "users on behalf of Luke Palnau" <users-bounces at on behalf of lpalnau at> wrote:

>We've gotten public endpoints from the new api to work with the non-prod website, but we're thinking the CORS ajax requests probably need additional headers on them to be able to access the shibboleth protected endpoints.

Access to a Shibboleth SP protected resource is by cookie-based session (always, only). There's nothing else involved.

Obtaining such a session cookie under normal conditins is done with a SAML profile that's either browser-based (meaning can render a login form) or non-browser based (SAML ECP). What you're doing would likely support neither.

I don't really follow the rest of the message, but that is the technical situation. AJAX calls normally have to happen after the browser has negotiated for a session (by virtue of them having access to the same cookie store when they make the calls to the server).

-- Scott

More information about the users mailing list