After upgrading PingFederate, Vault users encounter an error: This content cannot be displayed in a frame. This occurs when providing electronic signature by Single Sign-On to approve a document.
PingFederate modified the way the headers are constructed in V7.3 for security reasons. This can impact the display of iFrames where there was no error previously. Since this release, a default setting of X-Frame-Options: SAMEORIGIN is set (with the exception of certain SLO endpoints) and this causes a problem where part of the Single Sign-On flow occurs within an iframe.
PingFederate Admins can change the settings by modifying <PF_INSTALL>/server/default/data/config-store/response-header-runtime-config.xml. Use the following options:
- Completely disable the custom header by commenting out the entire X-Frame-Options section. This opens up the page for clickjacking attacks.
- Comment out the entire X-Frame-Options section and add a new one for Content-Security-Policy
The https://*.otherDomain.com should be replaced with domain values where Admins wish to load PingFederate pages inside an iFrame. It should point to domains that are determined to be acceptable to load PingFederate inside of an iFrame. These can (and probably should) be further restricted to specific hosts, such as https://host.otherdomain.com.
Send us your feedback: We are always looking for feedback to help improve our Knowledge Base! Please let us know if this article is helpful or provide feedback on how we can improve your experience by clicking here.