Some CSome relying parties may do CORS (Cross-Origin Resource Sharing) pre-flight requests towards the IdP. This page discuss some alternatives for handling that.
...
Jetty: https://www.eclipse.org/jetty/javadoc/jetty-9/org/eclipse/jetty/servlets/CrossOriginFilter.html
Example filter configuration for web.xml: Cross-origin AJAX requests for Shib-protected resources
Tomcat: https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter
Spring CORS
...
Configuration
IdP V4.2 provides a native/proprietary mechanism for supporting this via Spring. A global bean called shibboleth.CorsConfigurations may contain a map of org.springframework.web.cors.CorsConfiguration declarations, where the key of each entry corresponds to the locations under the <context>/profile URL tree (e.g., /oidc/token correponds with https://idp.example.org/idp/profile/oidc/token).
...