ADFS 2016 X-Frame-Options to deny

1
votes

I'm using adal.js on my react app (using react-adal wrapper). I configured my app to work with my ADFS 2016 server (on premise), and the authentication process works fine, but after the ADFS SSO cookie expired, when the client sends the renew token request (in an hidden iframe), the browser shows in the console the following error: refuse to display 'https://myadfs/adfs/ls/SAMLRequest=...' in a new frame because it set 'X-frame-options' to deny.

In order to reauthenticate, the user needs to refresh the page (F5).

Is there any solution / workaround to this problem?

2
adal.jsadfs4.0

2 Answers

1
votes

ADFS <= 2016 does not allow iFrame based logins for any interactive authentication for security reasons. This would have worked if the user did not need to perform an interactive sign-in (either SSO cookie or WIA).

The right pattern (since you are on 2016) is to use OIDC flows to log into the application and use the refresh token to get new access tokens.

Even here you need to handle the refresh token expired case where you will need to store your app context locally (cookie or local cache) and enable a full redirect to ADFS.

ADFS 2019 now has the option where an admin can configure options for which host(s) they allow iFrames by controlling the headers.

Thanks //Sam (Twitter: @MrADFS)

1
votes

Like I explained in this similar question, the commandlet "Set-AdfsResponseHeaders" is also supported on ADFS 2016 since a recent MS update (about May 2019) :

Set-AdfsResponseHeaders -RemoveHeaders "X-Frame-Options"

Howeber, I agree with SamuelD MSFT on the fact that it's not a good practice any more to use iFrame integration nowadays.