Use HTTP verb in Service Provider request mapper

Fabien BERTEAU fabien.berteau at
Thu Oct 21 13:00:55 UTC 2021

All this is precisely the subject of a prototype. It should allow us to
validate these hypotheses.
I know how to use Shibboleth to protect classical server side applications
but I am a newbie about protecting a SPA.
Do you have documentation on how to do that ?


Fabien Berteau | Security Architect


fabien.berteau at <aurelien.lajoie at>

Le jeu. 21 oct. 2021 à 14:56, Cantor, Scott <cantor.2 at> a écrit :

> On 10/21/21, 8:51 AM, "users on behalf of Fabien BERTEAU" <
> users-bounces at on behalf of fabien.berteau at>
> wrote:
> >    I thought I could avoid ECP in our SPAs by forcing the user to
> authenticate in order to download the SPA
> > (classic SP initiated browser flow), then by embedding the SP session
> cookie during each call to a web service
> > based on XMLHTTPRequest (same domain, so the browser should add it ?).
> Am I wrong ?
> That might work (assuming you change the cookie properties to strip out
> HttpOnly), but only until it times out. Most of the time that falls apart
> later on because of the limitations of those Ajax requests and the error
> handling, but to be clear I didn't realize you meant you were making Ajax
> calls, I assumed it was just a web service.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list