Use HTTP verb in Service Provider request mapper

Fabien BERTEAU fabien.berteau at
Thu Oct 21 12:51:12 UTC 2021

Thank you very much for your answers and especially for your availability !

I thought I could avoid ECP in our SPAs by forcing the user to authenticate
in order to download the SPA (classic SP initiated browser flow), then by
embedding the SP session cookie during each call to a web service based on
XMLHTTPRequest (same domain, so the browser should add it ?). Am I wrong ?

I will connect to the Jira to ask for that improvement, thanks again.


Fabien Berteau | Security Architect


fabien.berteau at <aurelien.lajoie at>

Le jeu. 21 oct. 2021 à 14:00, Cantor, Scott <cantor.2 at> a écrit :

> On 10/21/21, 2:49 AM, "users on behalf of Fabien BERTEAU" <
> users-bounces at on behalf of fabien.berteau at>
> wrote:
> >    I want to try to plug the Shibboleth SP on Kong and use the XML based
> request mapper to centralize on
> > Kong/SP all host/verb/path/query access control.
> You can't just use browser profile flows for web services, so no, that
> doesn't work on the face of it, but in terms of the feature, it's not a big
> ask. If you have enough will to get access to Jira and file the request I
> can probably get it into 3.3.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list