numerous HTTP OPTIONS method requests in Jetty log

[Cantor, Scott]

It's an AJAX thing, some cross-origin nonsense. My brain has better things to do than try and understand that idiocy right now, but I guess the bottom line is the SP is protecting something that isn't suited to being protected by our "style" of authentication design, and the AJAX requests are getting 302'd to a different origin, so the browser sends a pre-flight check to see if the IdP server will allow it (which it likely wouldn't anyway).

It's much better to avoid active protection scenarios with the SP in these kinds of apps and/or just gateway the SP session over into an app session and get it out of the way.

Another idea might be to install something that causes a fixed "no, go away" response and include an Access-Control-Max-Age header to get the browser to cache that result. But that may well end up breaking things.

I really am not versed enough to know what's right, but that's what's causing it.

-- Scott