Shib SP to IDP missing header for CORS

Allan West allan at
Mon Aug 17 19:06:35 UTC 2020

Thank you Scott, I've gotten headers to appear in the connection from
the SP to the IdP.

I am still getting a failure state back to the SP, likely because the
headers aren't carried through the IdP connection. At least, that's what
it appears to be complaining about in Firefox's Inspector Network tab.

Maybe that's what the IdP part of this URL was aimed at:

I am no longer the university's IdP manager, so I'm not sure whether:
 A. that's a useful fix
 B. it should be required at all

This takes me back to wondering whether I'm trying to implement the
wrong wheel for this cart.

This probably isn't related, but we're also passing a cookie with:
    sameSite: "None"
    secure: true
to handle newer Chrome issues.

Thanks, Allan

On 2020/08/17 10:15 AM, Cantor, Scott wrote:
> [External Email]
> I thought this rang a bell, I found [1], which was somebody complaining about the issue, and the upshot was that when I tested various ways of getting the headers set, it always worked, but the specific example that somebody posted to the wiki about doing this for CORS did not for whatever obscure reason.
> -- Scott
> [1]
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-unsubscribe at

More information about the users mailing list