On 2018/04/10 4:38, Cantor, Scott wrote: >> then accesses the /api just fine, once the shib session expires the XHRs to >> /api will get HTTP 401 from the server. > I think the SP itself is just returning 403s on require failures. On CentOS 7 (Apache httpd 2.4) I always see "401 Unauthorized" instead of 403. CentOS 6 returns 403 for sure. Takeshi