Use HTTP verb in Service Provider request mapper
fabien.berteau at manomano.com
Thu Oct 21 12:51:12 UTC 2021
Thank you very much for your answers and especially for your availability !
I thought I could avoid ECP in our SPAs by forcing the user to authenticate
in order to download the SPA (classic SP initiated browser flow), then by
embedding the SP session cookie during each call to a web service based on
XMLHTTPRequest (same domain, so the browser should add it ?). Am I wrong ?
I will connect to the Jira to ask for that improvement, thanks again.
Fabien Berteau | Security Architect
fabien.berteau at manomano.com <aurelien.lajoie at manomano.com>
Le jeu. 21 oct. 2021 à 14:00, Cantor, Scott <cantor.2 at osu.edu> a écrit :
> On 10/21/21, 2:49 AM, "users on behalf of Fabien BERTEAU" <
> users-bounces at shibboleth.net on behalf of fabien.berteau at manomano.com>
> > I want to try to plug the Shibboleth SP on Kong and use the XML based
> request mapper to centralize on
> > Kong/SP all host/verb/path/query access control.
> You can't just use browser profile flows for web services, so no, that
> doesn't work on the face of it, but in terms of the feature, it's not a big
> ask. If you have enough will to get access to Jira and file the request I
> can probably get it into 3.3.
> -- Scott
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users