SAML/SSO Ajax requests between two SP's

My brain is about to explode from a lack of understanding of SSO/SAML. Im currently working on a project whereby we are implementing a SSO identity provider using shibboleth.

We have SSO up and running and are able to authenticate via one app and navigate to the other unchallanged. Now, the next requirment is to have App A return a page that makes an Ajax call to App B without challange.

Now as we have things setup to work front channel (via browser redirects) then when we make the Ajax call to App A then we get a 301 response, and the redirects between SP/IdP begin, which Ajax obviously doesn't follow.

If on the other hand we make an Ajax call from App A to App A then it sends through it's local session Id and has no need to send a redirect to communicate with the IdP.

Now, if I manually navigate to App B via the browser and allow all the redirects to occur (and hence retrieve a local session cookie for App B too). Then I still cannot make Ajax requests from the response of App A. The reason for this is obviously that the browser will not s开发者_开发技巧end through the cookie info for App B as we are hitting a page on App A's domain.

So my questions are as follows:

• If App A and App B are sibling sub domains, can we somehow get the browser to pass through all required session cookies?

• I gather that this sort of Sp/IdP communication can occur via a back channel as aposed to the redirects that are occuring via the browser. What I don't understand is how this is possible :-). If I log in via App A then the IdP adds it's own session cookie, so it doesn't have to reauthenticate me when the redirects occur after visiting App B. But, if this was't done via redirects then when I visit App B, what can it send to the IdP to authenticate me, as my browser doesn't pass the IdP's cookie to App B in the first place.

Note:

Im sorry if this isn't too clear, I really can't explain this very well right now. Maybe it's better that I explain what I need to achieve.

• Hit an application and Sign in using SSO
• The application I signed into is a portal type app with a bunch of ajax widgets on it.
• Each widgit makes Ajax calls to other apps, which are also secured by SSO

Any ideas? Cheers, Chris.