IdentityProvider pop out window
-
Hi,
is there a way to pop out the IdentityProvider login screen rather than navigate within the same window?
I am are seeing an issue within an iframe where using FusionAuth a 3rd party SP-initiated SAML authentication. When the user is directed back to fusionAuth within an iframe they are presented with a login window again. At this point they click the identity provider button to initiate the SAML flow. However, AzureAD returns "X-Frame-Options Deny" which in safari blocks any further progress. This is only an issue with safari, but that does include safari on the desktop and IOS devices.
Flow e.g.
My App -> iframe[3rd Party --SAMLv2--> FusionAuth --SAMLv2--> AzureAD]If we are able to pop out the IdentityProvider flow into a separate window, this would negate the issue. I am also open to any other suggestions at this point.
-
@amar-sibia Nope, there's no way to have the login form be in a popout window right now (that that I am aware of).
This sounds like a feature request too. You could always file an issue with the specific use case, but we couldn't commit to any timeline right now.
As an alternative, have you tried any of the workarounds here (I haven't, I just found them with a google search): https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/84
HTH.
-
FusionAuth will remove the
X-Frame-Options
header if the origin is configured in the OAuth config as an Authorized origin.But it sounds like in your case AzureAD is the one adding this header, so you would have to determine if this is something you can control in AzureAD through configuration.
In general, running the FusionAuth login through an IFRAME could work, however unless you are doing this all within the same domain or sub-domain. If you have any 3rd party domains - in practice it won't work due to the ever increasing strict cookie handling of mainstream browsers.
-
Thank you for the swift responses. We have added the origins to our OAuth config which fixed our initial "X-Frame-Options" Deny issue. However, this wouldn't fix our problem with Azure returning it and safari blocking the rendering.
It doesn't look like we are able to change any config in Azure to change the Deny value, unless anyone has any suggestions.
Our domains are as follows;
env.myapp.io -> iframe[ 3rdparty.io --SAMLv2--> auth.myapp.io --SAMLv2--> login.microsoftonline.com]
any suggestions?
@dan that link doesnt really suggest anything which looks implementable without either changing a library in FusionAuth or using OpenID.
-
Bummer.
Suggestions:
- file a bug report with Azure about being able to control the frame header.
- file a feature request with FusionAuth: https://github.com/fusionauth/fusionauth-issues/issues if the community needs this feature, it'll be voted up and bubble up the priority list.
- don't run the login window in an iframe
-