Handling CORS to shibboleth protected sites

Allan West allan at ufl.edu
Wed Aug 19 20:22:16 UTC 2020

Thank you very much for your reply. I'm a bit out of my depth in web
server configuration here.

I can view the shibboleth protected back-end target file: it sends a
_shibsession_ cookie along with the 302 redirect, makes a quick
round-trip through the IdP, and it sends a _shibsession_ cookie along
with the content. If I try to access the front-end page the same target
is redirecting to the IdP and is _not_ including the existing
_shibsession_ cookie for the back end site.

If I leave the site as it was, using HTTP-Redirect, and the
_shibsession_ cookie exists, wouldn't it make an appropriate circuit and
return the data that the front-end site needs?

I changed the HTTP-Redirect to HTTP-POST, and then the 200 "success"
page returned from the call is:

    Note: Since your browser does not support JavaScript, you must press
    the Continue button once to proceed to the authentication service.
    [ Continue ]

Please feel free to tell me I'm missing something obvious.

On 2020/08/19 11:02 AM, Christopher Bongaarts wrote:
> *[External Email]*
> My guide to doing this (which others have reported issues with, though
> we did have it working at one point in the past) is here:
> https://wiki.shibboleth.net/confluence/display/IDP30/Cross-origin+AJAX+requests+for+Shib-protected+resources
> I've tried to call out why the various parts are needed.  In this case:
> If the shib-protected site is using HTTP-Redirect, it won't work
> because XmlHttpRequest follows them and does not propagate the
> necessary headers.  You need to force HTTP-POST instead; for the Shib
> SP, you can do this:
> |<||SSO| |entityID||=||"https://idp.example.edu/idp/shibboleth
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__idp.example.edu_idp_shibboleth&d=DwMDaQ&c=sJ6xIWYx-zLMB3EPkvcnVg&r=ShjSugJjxZV-LntxbSRXig&m=btdjvuEVkCjEyLjuNzOtWvZ5YHtkArvfG5TCcn6VbtM&s=qH7ubCsy53YG94G26tX8CNBLZTbbTN-3j4qFQtRVDlE&e=>"|
> |outgoingBindings||=||"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"||>|
> |  ||SAML2|
> |</||SSO||>|
> On 8/18/2020 12:46 PM, Allan West wrote:
>> I need some advice on current, working practices to allow calls from
>> another site into a shibboleth-protected site. We are getting CORS
>> errors in the browsers for AJAX calls and other methods that try to call
>> content from a shibboleth protected site. These services worked until
>> recently, and now they do not, almost certainly because of increased
>> security settings in browsers.
>> What are others doing to allow CORS calls into shibboleth protected sites?
>> I had a separate thread, "Shib SP to IDP missing header for CORS" based
>> on my problems with trouble-shooting. I learned that headers can be set
>> and carried from the SP to the IdP. However, but those headers will
>> never be passed through the IdP, nor does the IdP seem happy with the
>> request to authenticate / validate the connection. In Firefox Inspector
>> traces, the shibboleth-protected site uses a 302 redirect to the IdP to
>> validate, and the IdP errors on CORS, causing both SP and IdP lines to show:
>>     CORS Missing Allow Origin
>> That means we need to be allowing this access in some other way, but I
>> haven't found a good statement of practice on what anyone is doing right
>> now to allow CORS calls into a shibboleth protected site.
>> Thanks,
>> Allan West
>> UFIT linux system administrator
>> allan at ufl.edu
> -- 
> %%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
> %%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
> %%  University of Minnesota    %%  +1 (612) 625-1809    %%

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200819/d0f21af5/attachment.htm>

More information about the users mailing list