Does Shibboleth SP support HTTP POST redirect using status code 307?

William Lee wlee007-m at
Tue Feb 13 17:45:22 EST 2018

 Scott, thanks. We did hope SP/IdP timeout would be transparent to application, but not the case. I assume this isn't a rare scenario (user agent requests a SP-protected resource via HTTP POST without a valid SP session), what are the possible solutions to this? 
Best regards,William

    On Tuesday, February 13, 2018, 3:19:30 PM EST, Cantor, Scott <cantor.2 at> wrote:  
 > How to set up SP to handle this? Can SP use HTTP status code 307 when
> original request is a POST? From what I read, 307 is required to redirect HTTP
> POST request.

The SP POST preservation logic recreates the original request and the appropriate codes are used, not a 307. Without that logic enabled, nothing it did would work anyway. The POST itself isn't being redirected, so I doubt that a 307 would be correct, nor would it fix anything. It would be horrible if it actually submitted the form to the IdP for example.

Client side approaches to application development are inherently incompatible with browser-unaware SSO schemes if you enforce timeouts and lifetimes independent of the application, and you can't just assume that the round trip to the IdP will be transparent, so you're just delaying the inevitable by trying to make it work anyway.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list