How to make ajax CORS requests to shibboleth protected rest api?
fox at washington.edu
Wed May 27 15:15:11 EDT 2015
> I don't really follow the rest of the message, but that is the technical situation. AJAX calls normally have to happen after the browser has negotiated for a session (by virtue of them having access to the same cookie store when they make the calls to the server).
We do this cross-domain ajax using an oauth mechanism. The original site, where you have a session, sets a token on the app's page. Your ajax code includes this token in requests to the remote site where it is used for authn. It's not shib or saml.
More information about the users