Does Shibboleth SP support HTTP POST redirect using status code 307?

Cantor, Scott cantor.2 at
Tue Feb 13 19:42:23 EST 2018

> Another way to do it is for the application itself to keep track of its state,
> which is how we do it in our AngularJS apps.  Well, we do a few things.
> (We're not dealing with a Shibboleth SP, but we still have to deal with the
> situation where a session -- in our case, an OAuth access token -- has
> expired.)

That was my meaning in saying "take over the session management", it has to be something the app deals with instead of leaving it to involuntary behavior.
> (Our model would be more like what Scott suggests, where you don't use
> the SP for session management.  Use lazy sessions, and your backend can
> signal back to the AngularJS app when the session has expired and it's time to
> do re-auth.)

From an SP perspective, yes, the passive behavior allows a fair amount of continued reuse of the SP machinery, but you can control when the redirects actually happen.

-- Scott

More information about the users mailing list