Issue description:

Assuming I have one web application(Java Saml2.0) who has a Sign in button to call ADFS(an identity provider) to authenticate.

It's using Javascript(Ajax has same issue) to call one endpoint of ADFS 2016. Since the request if sending from Javascript/Ajax, the browser would throw CORS error. (The ADFS2016 server side doesn't support modifying CORS header/response/origins)

And I heard from someone that one way to avoid the CORS error is to use redirect instead of using Ajax/Javascript to directly call one URL/endpoint.

Can someone give some insights for this situation? How can I modify my code to do such redirect without causing CORS?

PS: I don't want to lower browser security level to bypass CORS and I also don't want to upgrade to ADFS2019 though it supports customizing CORS origins.

CodePudding user response：

Im not sure if you are trying to achieve some special case by using javascript like this. But normally when authenticating a using using SAML you issue a HTTP redirect from the backend as a response to the user clicking the login button.

This redirect contains a encoded SAML authentication request in the URL that is parsed by ADFS to understand where the authentication request is coming from and how authenticates the user.

Ones ADFS authenticated the user, it will send the user a html page that auto posts a form to your application. The form contains a SAML authentication response containing the result of the authentication.