By default, ADFS 3 responses contain the “X-Frame-Options: DENY” HTTP header. This prevents ADFS from being run in an iframe, because this presents an opportunity for clickjacking attacks.
At the moment my company is however implementing an integration where an exception should be made to this security rule: pages on a certain domain should be able to embed ADFS in an iframe.
It seems however that ADFS does not allow changing this out-of-the box. So what is the best way to modify this HTTP header?
For example as suggested in the RFC (https://tools.ietf.org/html/rfc7034#section-188.8.131.52)?
A page that wants to render the requested content in a frame
supplies its own origin information to the server providing the
content to be framed via a query string parameter.
The server verifies that the hostname meets its criteria, so that
the page is allowed to be framed by the target resource. This
may, for example, happen via a lookup of a whitelist of trusted
domain names that are allowed to frame the page. For example,
for a Facebook “Like” button, the server can check to see that
the supplied hostname matches the hostname(s) expected for that
The server returns the hostname in “X-Frame-Options: ALLOW-FROM”
if the proper criteria was met in step #2.
- The browser enforces the “X-Frame-Options: ALLOW-FROM” header.