Shib SP to IDP missing header for CORS
Allan West
allan at ufl.edu
Mon Aug 17 19:06:35 UTC 2020
Thank you Scott, I've gotten headers to appear in the connection from
the SP to the IdP.
I am still getting a failure state back to the SP, likely because the
headers aren't carried through the IdP connection. At least, that's what
it appears to be complaining about in Firefox's Inspector Network tab.
Maybe that's what the IdP part of this URL was aimed at:
https://wiki.shibboleth.net/confluence/display/IDP30/Cross-origin+AJAX+requests+for+Shib-protected+resources
I am no longer the university's IdP manager, so I'm not sure whether:
A. that's a useful fix
B. it should be required at all
This takes me back to wondering whether I'm trying to implement the
wrong wheel for this cart.
This probably isn't related, but we're also passing a cookie with:
sameSite: "None"
secure: true
to handle newer Chrome issues.
Thanks, Allan
On 2020/08/17 10:15 AM, Cantor, Scott wrote:
> [External Email]
>
> I thought this rang a bell, I found [1], which was somebody complaining about the issue, and the upshot was that when I tested various ways of getting the headers set, it always worked, but the specific example that somebody posted to the wiki about doing this for CORS did not for whatever obscure reason.
>
> -- Scott
>
> [1] https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.shibboleth.net_jira_browse_SSPCPP-2D732&d=DwICAg&c=sJ6xIWYx-zLMB3EPkvcnVg&r=ShjSugJjxZV-LntxbSRXig&m=khU0TLaNUZmE1WpdmM-ZO4f_7vwdhuQcnQjmYjk4gcA&s=g2rNGmNPEERvENU3OaxSg5doLM0gTU2o4bx6peaGBMo&e=
>
> --
> For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=sJ6xIWYx-zLMB3EPkvcnVg&r=ShjSugJjxZV-LntxbSRXig&m=khU0TLaNUZmE1WpdmM-ZO4f_7vwdhuQcnQjmYjk4gcA&s=kII2WHQAKK2QtEhzMUsQQsR9qELTr-2FWuOV4Rfl6QA&e=
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list