The CORS error causing the export problem is solvable by narrowing the scope of the shibboleth apache/nginx configuration to exclude the refresh auth endpoint. This works, but depending on the Weaver auth implementation, could create a scenario where Weaver users log into CAS/IDP once, then keep their Weaver session alive via refresh even after their central CAS session has expired. Investigation is needed to rule this scenario in or out.
This would avoid the concerns with the first solution, but hasn't been shown to work yet and would introduce some security questions of its own that need investigation.
The CORS error causing the export problem is solvable by narrowing the scope of the shibboleth apache/nginx configuration to exclude the refresh auth endpoint. This works, but depending on the Weaver auth implementation, could create a scenario where Weaver users log into CAS/IDP once, then keep their Weaver session alive via refresh even after their central CAS session has expired. Investigation is needed to rule this scenario in or out.
It may also be possible to solve the CORS error by re-configuring Vireo and auth to expect and allow credentials to be passed via xhr as described here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials
This would avoid the concerns with the first solution, but hasn't been shown to work yet and would introduce some security questions of its own that need investigation.