Session validation in Single Page Application with SP 3.0.2

Peter Schober peter.schober at
Wed Nov 14 10:51:41 EST 2018

* Ron Harris <neo204011 at> [2018-11-14 14:52]:
> One of Our application is a Single Page Application. The URL of the
> application is Shibboleth protected, so to access the application one has
> to authenticate.
> Once authenticated, Angular application gets downloaded in browser. And
> hence it doesn't require the browser to be refresh again.
> Angular Application calls REST APIs which are outside Shibboleth.
> This posses us with a problem where we are unable to verify if the ADFS
> session is active or not.

The "ADFS session" (I'm assuming this to mean the SSO session the
browser has with the SAML IDP) doesn't factor into this, at least not
until the SP's own session expires and SSO kicks in for access to
actively protected resource. (Access to other resources will not.)

> Its not possible to bring the REST APIs under Shibboleth, as other
> applications too use them.

What are these APIs protected with?


More information about the users mailing list