IDP in iFrame

CANTEA, SERBAN serban.cantea at
Mon May 11 10:11:37 UTC 2020


we’re running the Shibboleth IDP on a domain I’ll call
We have two service providers SP1 (which also lives on and SP2 (which lives on

SP2 has an iFrame which shows a protected page from SP1. This worked fine so far, since the users have to log in to access SP2 and the iFrame making the call to SP2 had all the cookies needed for SSO by SP1. Since the introduction of the “SameSite” cookie parameters in the new versions of Chrome, this behaviour is now broken.

My questions are: is this use case valid (i.e. is SP2 allowed to link a secure page from SP1 in an iFrame, or is this bad practice)? If so, what should we do to fix this issue?

Kind regards,

Sitz der Gesellschaft / Corporate Headquarters: Lufthansa Industry Solutions AS GmbH, Norderstedt, Registereintragung / Registration: Amtsgericht Kiel 3688 NO
Geschaeftsfuehrung / Management Board: Bernd Appel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list