Handling CORS to shibboleth protected sites

Christopher Bongaarts cab at umn.edu
Wed Aug 19 15:02:53 UTC 2020

My guide to doing this (which others have reported issues with, though 
we did have it working at one point in the past) is here:


I've tried to call out why the various parts are needed.  In this case:

If the shib-protected site is using HTTP-Redirect, it won't work because 
XmlHttpRequest follows them and does not propagate the necessary 
headers.  You need to force HTTP-POST instead; for the Shib SP, you can 
do this:

|<||SSO| |entityID||=||"https://idp.example.edu/idp/shibboleth"| 

On 8/18/2020 12:46 PM, Allan West wrote:
> I need some advice on current, working practices to allow calls from
> another site into a shibboleth-protected site. We are getting CORS
> errors in the browsers for AJAX calls and other methods that try to call
> content from a shibboleth protected site. These services worked until
> recently, and now they do not, almost certainly because of increased
> security settings in browsers.
> What are others doing to allow CORS calls into shibboleth protected sites?
> I had a separate thread, "Shib SP to IDP missing header for CORS" based
> on my problems with trouble-shooting. I learned that headers can be set
> and carried from the SP to the IdP. However, but those headers will
> never be passed through the IdP, nor does the IdP seem happy with the
> request to authenticate / validate the connection. In Firefox Inspector
> traces, the shibboleth-protected site uses a 302 redirect to the IdP to
> validate, and the IdP errors on CORS, causing both SP and IdP lines to show:
>      CORS Missing Allow Origin
> That means we need to be allowing this access in some other way, but I
> haven't found a good statement of practice on what anyone is doing right
> now to allow CORS calls into a shibboleth protected site.
> Thanks,
> Allan West
> UFIT linux system administrator
> allan at ufl.edu

%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200819/5430184c/attachment.htm>

More information about the users mailing list