Handling CORS to shibboleth protected sites

Christopher Bongaarts cab at umn.edu
Thu Aug 20 14:50:29 UTC 2020

On 8/19/2020 3:22 PM, Allan West wrote:
> I can view the shibboleth protected back-end target file: it sends a 
> _shibsession_ cookie along with the 302 redirect, makes a quick 
> round-trip through the IdP, and it sends a _shibsession_ cookie along 
> with the content. If I try to access the front-end page the same 
> target is redirecting to the IdP and is _not_ including the existing 
> _shibsession_ cookie for the back end site.
> If I leave the site as it was, using HTTP-Redirect, and the 
> _shibsession_ cookie exists, wouldn't it make an appropriate circuit 
> and return the data that the front-end site needs?
> I changed the HTTP-Redirect to HTTP-POST, and then the 200 "success" 
> page returned from the call is:
>     Note: Since your browser does not support JavaScript, you must press
>     the Continue button once to proceed to the authentication service.
>     [ Continue ]
> Please feel free to tell me I'm missing something obvious.

Check the page on CORS for the section on the specific steps you have to 
do in the Javascript for the frontend in order to make it work.   Just 
doing a plain XmlHttpRequest as usual is not sufficient, since you have 
to handle the flow to the IdP "manually".

%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the users mailing list