Shibboleth IDP3 & IDP4 - CORS Handling

prasanna cg prasannacgin at yahoo.in
Mon Aug 31 17:58:25 UTC 2020


Hello Experts,

We have an application reporting CORS issue for the same use-case as mentioned in the below IDPv3 knowledge article

https://wiki.shibboleth.net/confluence/display/IDP30/Cross-origin+AJAX+requests+for+Shib-protected+resources <https://wiki.shibboleth.net/confluence/display/IDP30/Cross-origin+AJAX+requests+for+Shib-protected+resources>

My Current State: IDP version is v3.3.1 and is deployed in Tomcat 8 / JDK 8. We are in parallel working to upgrade the IDP to v4 and Tomcat to v9 / Corretto JDK 11

Before going ahead with applying the workaround suggested, I wanted to reach out and get below questions answered. 

Questions:

Work around for Current state:

1) The above article describes the workaround to be performed by adding the CORS filter from Jetty container into the IDP’s web.xml. For my IDP v3 deployed on Tomcat 8, should I be using the equivalent Tomcat’s CORS filter (from link below)  in the IDP’s Web.XML ?
https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CORS_Filter_and_HttpServletRequest_attributes <https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CORS_Filter_and_HttpServletRequest_attributes>

Workaround for my future state:

2) I do not see a similar knowledge article for IDPv4 yet. So can you confirm if the same workaround is applicable for IDPv4 on Tomcat v9 too ? Or is there anything different ?


Please help me understand !

Thanks,
Prasanna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200831/5aed089d/attachment.htm>


More information about the users mailing list