Overview:
After upgrading PingFederate, Vault users encounter an error: This content cannot be displayed in a frame. This occurs when providing electronic signature by Single Sign-On to approve a document.
Root Cause:
PingFederate modified the way the headers are constructed in V7.3 for security reasons. This can impact the display of iFrames where there was no error previously. Since this release, a default setting of X-Frame-Options: SAMEORIGIN is set (with the exception of certain SLO endpoints) and this causes a problem where part of the Single Sign-On flow occurs within an iframe.
Solution:
PingFederate Admins can change the settings by modifying <PF_INSTALL>/server/default/data/config-store/response-header-runtime-config.xml. Use the following options:
- Completely disable the custom header by commenting out the entire X-Frame-Options section. This opens up the page for clickjacking attacks.
or
- Comment out the entire X-Frame-Options section and add a new one for Content-Security-Policy
The https://*.otherDomain.com should be replaced with domain values where Admins wish to load PingFederate pages inside an iFrame. It should point to domains that are determined to be acceptable to load PingFederate inside of an iFrame. These can (and probably should) be further restricted to specific hosts, such as https://host.otherdomain.com.
Related Documentation:
N/A