Anyone securing an Angular application

Starkey, Don [BSD] - CRI dstarkey at
Fri Jul 20 10:56:53 EDT 2018

Are you saying that you cannot secure a client side  application run in the browser with shibboleth?  Do you have an example of how to do this if it is possible?

Thanks again,

-----Original Message-----
From: users [mailto:users-bounces at] On Behalf Of Peter Schober
Sent: Friday, July 20, 2018 2:15 AM
To: users at
Subject: Re: Anyone securing an Angular application

* Starkey, Don [BSD] - CRI <dstarkey at> [2018-07-19 16:50]:
> I am having trouble securing my Angular application.   The same shib
> setup works fine for .net apps and web form sites.

Well, those others are running in the web server. Your Angular
application runs in the web browser. So completely different in every

> So that is not an issue.  However, when I try to use the same shib
> setup to secure the angular application it does not work.

The example I (and others) have provided works. You don't provide
technical details what you did and what specifically differs in your

> the shib is trying to connect but it just displays the shib error
> page.  Following error in Dev Toolbox.
> GET<>SAML Request xxxxxxxx
> 500 server error, and Shib simply displays error page without giving option to sign in
> Also:
> Cross-Origin Read Blocking (CORB) blocked cross-origin response

That's the consequence of your client-side JavaScript code trying to
follow the HTTP 302 to the IDP, which cannot work. You'll need to do a
full browser redirect to the IDP if you want to use the SAML Web
Browser SSO Profile.

For Consortium Member technical support, see 
To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list