Does Shibboleth SP support HTTP POST redirect using status code 307?
William Lee
wlee007-m at yahoo.com
Tue Feb 13 17:45:22 EST 2018
Scott, thanks. We did hope SP/IdP timeout would be transparent to application, but not the case. I assume this isn't a rare scenario (user agent requests a SP-protected resource via HTTP POST without a valid SP session), what are the possible solutions to this?
Best regards,William
On Tuesday, February 13, 2018, 3:19:30 PM EST, Cantor, Scott <cantor.2 at osu.edu> wrote:
> How to set up SP to handle this? Can SP use HTTP status code 307 when
> original request is a POST? From what I read, 307 is required to redirect HTTP
> POST request.
The SP POST preservation logic recreates the original request and the appropriate codes are used, not a 307. Without that logic enabled, nothing it did would work anyway. The POST itself isn't being redirected, so I doubt that a 307 would be correct, nor would it fix anything. It would be horrible if it actually submitted the form to the IdP for example.
Client side approaches to application development are inherently incompatible with browser-unaware SSO schemes if you enforce timeouts and lifetimes independent of the application, and you can't just assume that the round trip to the IdP will be transparent, so you're just delaying the inevitable by trying to make it work anyway.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180213/4411240b/attachment.html>
More information about the users
mailing list