IDP in iFrame
CANTEA, SERBAN
serban.cantea at lhind.dlh.de
Mon May 11 10:11:37 UTC 2020
Hello,
we’re running the Shibboleth IDP on a domain I’ll call example.com
We have two service providers SP1 (which also lives on example.com) and SP2 (which lives on test.com)
SP2 has an iFrame which shows a protected page from SP1. This worked fine so far, since the users have to log in to access SP2 and the iFrame making the call to SP2 had all the cookies needed for SSO by SP1. Since the introduction of the “SameSite” cookie parameters in the new versions of Chrome, this behaviour is now broken.
My questions are: is this use case valid (i.e. is SP2 allowed to link a secure page from SP1 in an iFrame, or is this bad practice)? If so, what should we do to fix this issue?
Kind regards,
Serban
Sitz der Gesellschaft / Corporate Headquarters: Lufthansa Industry Solutions AS GmbH, Norderstedt, Registereintragung / Registration: Amtsgericht Kiel 3688 NO
Geschaeftsfuehrung / Management Board: Bernd Appel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200511/582b4c88/attachment.htm>
More information about the users
mailing list