Handling CORS to shibboleth protected sites
cab at umn.edu
Thu Aug 20 14:50:29 UTC 2020
On 8/19/2020 3:22 PM, Allan West wrote:
> I can view the shibboleth protected back-end target file: it sends a
> _shibsession_ cookie along with the 302 redirect, makes a quick
> round-trip through the IdP, and it sends a _shibsession_ cookie along
> with the content. If I try to access the front-end page the same
> target is redirecting to the IdP and is _not_ including the existing
> _shibsession_ cookie for the back end site.
> If I leave the site as it was, using HTTP-Redirect, and the
> _shibsession_ cookie exists, wouldn't it make an appropriate circuit
> and return the data that the front-end site needs?
> I changed the HTTP-Redirect to HTTP-POST, and then the 200 "success"
> page returned from the call is:
> the Continue button once to proceed to the authentication service.
> [ Continue ]
> Please feel free to tell me I'm missing something obvious.
Check the page on CORS for the section on the specific steps you have to
doing a plain XmlHttpRequest as usual is not sufficient, since you have
to handle the flow to the IdP "manually".
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users