Handling CORS to shibboleth protected sites
Christopher Bongaarts
cab at umn.edu
Wed Aug 19 15:02:53 UTC 2020
My guide to doing this (which others have reported issues with, though
we did have it working at one point in the past) is here:
https://wiki.shibboleth.net/confluence/display/IDP30/Cross-origin+AJAX+requests+for+Shib-protected+resources
I've tried to call out why the various parts are needed. In this case:
If the shib-protected site is using HTTP-Redirect, it won't work because
XmlHttpRequest follows them and does not propagate the necessary
headers. You need to force HTTP-POST instead; for the Shib SP, you can
do this:
|<||SSO| |entityID||=||"https://idp.example.edu/idp/shibboleth"|
|outgoingBindings||=||"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"||>|
|||SAML2|
|</||SSO||>|
On 8/18/2020 12:46 PM, Allan West wrote:
> I need some advice on current, working practices to allow calls from
> another site into a shibboleth-protected site. We are getting CORS
> errors in the browsers for AJAX calls and other methods that try to call
> content from a shibboleth protected site. These services worked until
> recently, and now they do not, almost certainly because of increased
> security settings in browsers.
>
> What are others doing to allow CORS calls into shibboleth protected sites?
>
>
> I had a separate thread, "Shib SP to IDP missing header for CORS" based
> on my problems with trouble-shooting. I learned that headers can be set
> and carried from the SP to the IdP. However, but those headers will
> never be passed through the IdP, nor does the IdP seem happy with the
> request to authenticate / validate the connection. In Firefox Inspector
> traces, the shibboleth-protected site uses a 302 redirect to the IdP to
> validate, and the IdP errors on CORS, causing both SP and IdP lines to show:
> CORS Missing Allow Origin
>
> That means we need to be allowing this access in some other way, but I
> haven't found a good statement of practice on what anyone is doing right
> now to allow CORS calls into a shibboleth protected site.
>
> Thanks,
> Allan West
> UFIT linux system administrator
> allan at ufl.edu
>
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200819/5430184c/attachment.htm>
More information about the users
mailing list