You are viewing limited content. For full access, please sign in.

Question

Question

authenticating with SAML in an iframe

Web Client Version 11 Administration
Updated February 13, 2023
asked on February 10, 2023

Anyone sucessfully get an iframe to load Web Access when using SAML authentication? I swear I had this working but now it is not. 

I have a web app that has an iframe with a web access direct link. I have my environment setup to auto login so if I open a new tab and hit my web access site, I'm in. We use Azure AD accounts now. 

When this iframe loads I get the "login.microsoftonline.com refused to connect." error. technically I get my STS site first, click SAML and then I get that error. I'm signed in to LF on my other tabs, I thought being logged into LF on another tab would cover the iframe. Anyone have any ideas? 

0 0

Replies

replied on February 10, 2023

When the browser connects to https://login.microsoftonline.com, the response includes an X-Frame-Options: Deny header, which instructs the browser to not display the site in an iframe. So this is Azure's policy. Having the web client in an iframe can work if there is already an LFDS session, since that authentication flow does not involve contacting Azure. Though it can be tricky to ensure that there is already a session in a user-friendly way.

0 0
replied on February 10, 2023

Thanks for the response Brian. I swear this was working at one point. I have been reading about this X-Frame-Option: Deny but I guess I assumed that if I'm already logged in to LF in a different tab, there would be no need to hit the Azure site to authenticate. 

Is it just going to be hopeless to get an iFrame with Web Client working if we are on Azure account now moving forward? I would really love to integrate Laserfiche with my in web apps. What would you suggest?  

0 0
replied on February 10, 2023

Can you describe the use cases a bit and if they strictly need to be in iFrames? The "easy" way around this problem is having links to Web Client/Forms/etc. that open in new tabs and thus don't run astray of the Azure AD login page's X-Frame-Options: Deny header.

If it must be an iframe, there might be hacky workarounds like a script on your web app's page that auto-launches a specific authenticated Form in a new tab. Since you have auto-login configured, Forms will redirect to LFDSSTS, which will redirect to AAD, which will auto-auth, and go back to the originally requested Form. Add JavaScript to this form that closes the tab on load. Now you're guaranteed* to have an LFDSSTS token, which iframed web client will happily accept.

Some general reading: https://github.com/AzureAD/microsoft-authentication-library-for-js/blob/dev/lib/msal-browser/docs/iframe-usage.md

It looks like one way someone else dealt with this issue for a different application was to have a config option that launches the AAD auth window in a popup rather than an iframe. That's not something you can do yourself, but I'll bring it up to Dev to evaluate as a feature request.

https://developer.genesys.cloud/forum/t/embed-framework-sso-iframe-x-frame-options-to-deny/15897/2

0 0
replied on February 13, 2023

Here is one use case I had in mind. I have a Training program that lets the user select people to train. Once people are selected, a list of available trainings are shown. These training documents are in Laserfiche. Currently when they select a training, the document opens in a new tab. What I was hoping to do was get that document to open in an iFrame so that the user doesn't have to manage tabs. Once they are done reviewing the document, they press a button to confirm they have read and understand the document and I close the iFrame and display remaining trainings.

I'll look at some of your workarounds, Thanks @████████

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...