<html><head></head><body><div style="font-family:verdana, helvetica, sans-serif;font-size:13px;"><div></div>
            <div>Scott, thanks. We did hope SP/IdP timeout would be transparent to application, but not the case. I assume this isn't a rare scenario (user agent requests a SP-protected resource via HTTP POST without a valid SP session), what are the possible solutions to this? </div><div><br></div><div>Best regards,</div><div>William<br></div><div><br></div>
            
            <div id="ydpeae79d4eyahoo_quoted_9389264077" class="ydpeae79d4eyahoo_quoted">
                <div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
                    
                    <div>
                        On Tuesday, February 13, 2018, 3:19:30 PM EST, Cantor, Scott <cantor.2@osu.edu> wrote:
                    </div>
                    <div><br></div>
                    <div><br></div>
                    <div><div dir="ltr"><div class="ydpeae79d4eyqt9394920586" id="ydpeae79d4eyqtfd89570">> How to set up SP to handle this? Can SP use HTTP status code 307 when<br clear="none">> original request is a POST? From what I read, 307 is required to redirect HTTP<br clear="none">> POST request.</div><br clear="none"><br clear="none">The SP POST preservation logic recreates the original request and the appropriate codes are used, not a 307. Without that logic enabled, nothing it did would work anyway. The POST itself isn't being redirected, so I doubt that a 307 would be correct, nor would it fix anything. It would be horrible if it actually submitted the form to the IdP for example.<br clear="none"><br clear="none">Client side approaches to application development are inherently incompatible with browser-unaware SSO schemes if you enforce timeouts and lifetimes independent of the application, and you can't just assume that the round trip to the IdP will be transparent, so you're just delaying the inevitable by trying to make it work anyway.<br clear="none"><br clear="none">-- Scott<br clear="none"><br clear="none">-- <br clear="none">For Consortium Member technical support, see <a shape="rect" href="https://wiki.shibboleth.net/confluence/x/coFAAg" rel="nofollow" target="_blank">https://wiki.shibboleth.net/confluence/x/coFAAg</a><br clear="none">To unsubscribe from this list send an email to <a shape="rect" href="mailto:users-unsubscribe@shibboleth.net" rel="nofollow" target="_blank">users-unsubscribe@shibboleth.net</a><div class="ydpeae79d4eyqt9394920586" id="ydpeae79d4eyqtfd12713"><br clear="none"></div></div></div>
                </div>
            </div></div></body></html>