Handling CORS to shibboleth protected sites

Allan West allan at ufl.edu
Tue Aug 18 17:46:31 UTC 2020

I need some advice on current, working practices to allow calls from
another site into a shibboleth-protected site. We are getting CORS
errors in the browsers for AJAX calls and other methods that try to call
content from a shibboleth protected site. These services worked until
recently, and now they do not, almost certainly because of increased
security settings in browsers.

What are others doing to allow CORS calls into shibboleth protected sites?

I had a separate thread, "Shib SP to IDP missing header for CORS" based
on my problems with trouble-shooting. I learned that headers can be set
and carried from the SP to the IdP. However, but those headers will
never be passed through the IdP, nor does the IdP seem happy with the
request to authenticate / validate the connection. In Firefox Inspector
traces, the shibboleth-protected site uses a 302 redirect to the IdP to
validate, and the IdP errors on CORS, causing both SP and IdP lines to show:
    CORS Missing Allow Origin

That means we need to be allowing this access in some other way, but I
haven't found a good statement of practice on what anyone is doing right
now to allow CORS calls into a shibboleth protected site.

Allan West
UFIT linux system administrator
allan at ufl.edu

More information about the users mailing list