React based app integrate with Shibboleth

Peter Schober peter.schober at
Wed Apr 24 03:11:52 EDT 2019

* Pablo Vidaurri <psvidaurri at> [2019-04-23 23:27]:
> We have a vendor using a mobile app that is react based. They are
> having a hard time integrating with Shibboleth idp. Is there a
> library available or a shib service provider component that I can
> direct them to?

The SAML 2.0 Web Browser SSO profile is not a good fit for client-side
Usually the ECP profile isn't any better since it assumes password
entry in (and therefore fully trusting) the ECP client. (And
password-based authentication is not a good fit for mobile devices
without a keyboard.)

The Shib SP doesn't expose an "API" so there's no library either.
(Some people may publish wrapping code but that's just them making up
and exposing a server-side API of their own.)  You interact with the
SP by reading server environment variables (plus optionally creating
redirects to the SP's handler endpoints, in some cases) so that
assumes server-side code.
(You'd also have to consider the interactions of client-side code with
server-side SP sessions, cf. this thread from the archives:
"Return 401 on expired/missing session?".)

See RFC 8252/BCP 212 for a hopefully safe mechanism, though that
assumes OAuth as the protocol.


More information about the users mailing list