Does Shibboleth SP support HTTP POST redirect using status code 307?

Cantor, Scott cantor.2 at
Tue Feb 13 15:18:45 EST 2018

> How to set up SP to handle this? Can SP use HTTP status code 307 when
> original request is a POST? From what I read, 307 is required to redirect HTTP
> POST request.

The SP POST preservation logic recreates the original request and the appropriate codes are used, not a 307. Without that logic enabled, nothing it did would work anyway. The POST itself isn't being redirected, so I doubt that a 307 would be correct, nor would it fix anything. It would be horrible if it actually submitted the form to the IdP for example.

Client side approaches to application development are inherently incompatible with browser-unaware SSO schemes if you enforce timeouts and lifetimes independent of the application, and you can't just assume that the round trip to the IdP will be transparent, so you're just delaying the inevitable by trying to make it work anyway.

-- Scott

More information about the users mailing list