Disguising the IDP login page

Paul Hethmon paul.hethmon at clareitysecurity.com
Fri Feb 1 12:07:01 EST 2013

I would suggest you say no to the iframe. It introduces a whole slew of
security and XSS problems. Given you're in the same institution, it would
be possible with the document.domain, but it's something to break every
time you do an update.

What I do, though it requires some custom development, is to use different
login pages based on the requesting entityID. I believe the wiki also has
some examples of being able to customize to a certain extent with the
standard login handlers.

Not being in the higher education arena, I'm not sure what political
pressures you have, but my thought would be that if it's important enough
for this group to be part of your SSO solution, then they should be fully
vested in it. Meaning, use your institution branded login page which let's
the user's know who it is all the time instead of this one app out in the


On 2/1/13 11:50 AM, "Cotton, Kim" <cottonk at umsystem.edu> wrote:

>We have an sp (internal to our organization) that would like to mask our
>IDP login page with their own login page by making a call to the IDP in
>an iframe.  In order to make this work we'd have to specifically set a
>document.domain variable on the IDP login page.
>My question is are there security risks we should consider?  Also, are
>there user or political implications that might raise flags, particularly
>for multi campus higher education institutions?  For example, users won't
>know they're logging in with our secure authentication system.  Some have
>argued that's not an issue with users today.

More information about the users mailing list