Does Shibboleth SP support HTTP POST redirect using status code 307?

William Lee wlee007-m at
Fri Feb 16 01:04:27 EST 2018

Can SP pass the value of session expiry time to backend?

    On Tuesday, February 13, 2018, 7:42:55 PM EST, Cantor, Scott <cantor.2 at> wrote:  
 > Another way to do it is for the application itself to keep track of its state,
> which is how we do it in our AngularJS apps.  Well, we do a few things.
> (We're not dealing with a Shibboleth SP, but we still have to deal with the
> situation where a session -- in our case, an OAuth access token -- has
> expired.)

That was my meaning in saying "take over the session management", it has to be something the app deals with instead of leaving it to involuntary behavior.
> (Our model would be more like what Scott suggests, where you don't use
> the SP for session management.  Use lazy sessions, and your backend can
> signal back to the AngularJS app when the session has expired and it's time to
> do re-auth.)

>From an SP perspective, yes, the passive behavior allows a fair amount of continued reuse of the SP machinery, but you can control when the redirects actually happen.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list