FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    IdentityProvider pop out window

    Scheduled Pinned Locked Moved
    Q&A
    0
    5
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      amar.sibia
      last edited by

      Hi,

      is there a way to pop out the IdentityProvider login screen rather than navigate within the same window?

      I am are seeing an issue within an iframe where using FusionAuth a 3rd party SP-initiated SAML authentication. When the user is directed back to fusionAuth within an iframe they are presented with a login window again. At this point they click the identity provider button to initiate the SAML flow. However, AzureAD returns "X-Frame-Options Deny" which in safari blocks any further progress. This is only an issue with safari, but that does include safari on the desktop and IOS devices.

      Flow e.g.
      My App -> iframe[3rd Party --SAMLv2--> FusionAuth --SAMLv2--> AzureAD]

      If we are able to pop out the IdentityProvider flow into a separate window, this would negate the issue. I am also open to any other suggestions at this point.

      1 Reply Last reply Reply Quote 0
      • danD
        dan
        last edited by

        @amar-sibia Nope, there's no way to have the login form be in a popout window right now (that that I am aware of).

        This sounds like a feature request too. You could always file an issue with the specific use case, but we couldn't commit to any timeline right now.

        As an alternative, have you tried any of the workarounds here (I haven't, I just found them with a google search): https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/84

        HTH.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        1 Reply Last reply Reply Quote 0
        • robotdanR
          robotdan
          last edited by

          FusionAuth will remove the X-Frame-Options header if the origin is configured in the OAuth config as an Authorized origin.

          But it sounds like in your case AzureAD is the one adding this header, so you would have to determine if this is something you can control in AzureAD through configuration.

          In general, running the FusionAuth login through an IFRAME could work, however unless you are doing this all within the same domain or sub-domain. If you have any 3rd party domains - in practice it won't work due to the ever increasing strict cookie handling of mainstream browsers.

          1 Reply Last reply Reply Quote 0
          • A
            amar.sibia
            last edited by

            Thank you for the swift responses. We have added the origins to our OAuth config which fixed our initial "X-Frame-Options" Deny issue. However, this wouldn't fix our problem with Azure returning it and safari blocking the rendering.

            It doesn't look like we are able to change any config in Azure to change the Deny value, unless anyone has any suggestions.

            Our domains are as follows;

            env.myapp.io -> iframe[ 3rdparty.io --SAMLv2--> auth.myapp.io --SAMLv2--> login.microsoftonline.com]

            any suggestions?

            @dan that link doesnt really suggest anything which looks implementable without either changing a library in FusionAuth or using OpenID.

            danD 1 Reply Last reply Reply Quote 1
            • danD
              dan @amar.sibia
              last edited by

              @amar-sibia

              Bummer.

              Suggestions:

              • file a bug report with Azure about being able to control the frame header.
              • file a feature request with FusionAuth: https://github.com/fusionauth/fusionauth-issues/issues if the community needs this feature, it'll be voted up and bubble up the priority list.
              • don't run the login window in an iframe 🙂

              --
              FusionAuth - Auth for devs, built by devs.
              https://fusionauth.io

              1 Reply Last reply Reply Quote 0
              • D david.haerer referenced this topic on
              • First post
                Last post