Shib SP to IDP missing header for CORS

Allan West allan at
Mon Aug 17 12:42:22 UTC 2020

Let me re-state my ask:

Can someone post an example of a working CORS header config from an
apache config file, that allows two shibboleth-protected sites to
interact? I am iterating apache config updates and testing, but the call
to the back-end site's data file always appears as the 302 redirect to
the IdP _without_ the CORS header.

Thanks, Allan

On 2020/08/14 2:30 PM, Allan West wrote:
> I suspect I'm missing something obvious, but I'm unsuccessfully trying
> to get two shibboleth-protected sites to play nicely together with a
> cross site scripting call. We've got the sites setting cookies for:
>     "SameSite=None; Secure"
> to make Chrome happy, and when we look at pages on the sites directly we
> get headers including:
>     Access-Control-Allow-Origin:
> However, when we start on the site:
> and call the other site's data, the trace shows:
>     CORS Missing Allow Origin
> on the 302 Redirect from the other site to our IdP.
> How do we assert headers into the apache shibboleth redirect? We're
> running SP 3.1.0, which I believe is latest. On the shibboleth site I
> found a page about CORS headers that refers to the IdP, and which is
> documented as known not to work. There was an email thread in January,
> 2019, in which Scott stated:
>> That would be an Apache question. The SP adds its own headers at times
> but it doesn't remove any, which I've tested plenty of times.
> I am definitely seeing an absence of headers in the SP to IdP redirect
> that exist in other pages returned from that site.
> Maybe it's just poor Google-fu on my part; if someone can tell me what
> search terms to use, I'll go search some more next week.
> Thanks,
> Allan West
> UFIT linux system administrator
> allan at

More information about the users mailing list