How to make ajax CORS requests to shibboleth protected rest api?

[Jim Fox]

>
> I don't really follow the rest of the message, but that is the technical situation. AJAX calls normally have to happen after the browser has negotiated for a session (by virtue of them having access to the same cookie store when they make the calls to the server).
>

We do this cross-domain ajax using an oauth mechanism.  The original site, where you have a session, sets a token on the app's page.  Your ajax code includes this token in requests to the remote site where it is used for authn.  It's not shib or saml.

Jim