Does Shibboleth SP support HTTP POST redirect using status code 307?

Cantor, Scott cantor.2 at
Tue Feb 13 18:53:26 EST 2018

> Scott, thanks. We did hope SP/IdP timeout would be transparent to
> application, but not the case.

It is, mostly, if your application isn't written with those kinds of tools and the application supports deep linking.

> I assume this isn't a rare scenario (user agent
> requests a SP-protected resource via HTTP POST without a valid SP session),
> what are the possible solutions to this?

That isn't your problem, your user agent isn't one, it has no UI, it's just a Javascript thread. If it did, you could turn on the post preservation feature and it would more or less work, at least with Apache. With no UI capability, that simply can't be relied upon.

The only solution I know of is to take over the session management so timeouts aren't possible.

-- Scott

More information about the users mailing list