Unable to Display content in a frame

Unable to Display content in a frame

Published: 10/09/2018

Problem Description:

After upgrading PingFederate, content does not get displayed in an inline frame.

Solution:

PingFederate 8 and 9 steps:

For a clustered environment the files need to be edited on the console node. Restart the console and then replicate the configuration. 

The engine node will then receive the modified file. 

All the files in config-store as well as the data directory are copied during replication and at startup downloaded from the console node. Changing this on an engine node and restarting causes the file to be overwritten by the copy from the console.


Ping modified the way the headers on PingFederate are constructed in 7.3 for security reasons, which can impact display of iFrames, where there was none previously. Since tha release, a default setting of "X-Frame-Options:SAMEORIGIN" was set (with the exception of certain SLO endpoints) and this will cause problems where part of the SSO flow occurs within an iframe. Note: These steps are applicable for all versions of PingFederate above 7.3.

The settings can be changed by modifying <PF_INSTALL>/server/default/data/config-store/response-header-runtime-config.xml, and you have the below options

1) Completely disable this custom header i.e comment out the entire "X-Frame-Options" section. This opens up the page for clickjacking attacks.

or

2) Comment out the entire "X-Frame-Options" section and add a new one for "Content-Security-Policy".

See example below,

<!-- ===================================================================== -->
<!-- HTTP X-Frame-Options response header field                            -->
<!-- ===================================================================== -->
<!-- This header is used to indicate whether or not a browser should be    -->
<!-- allowed to render a page in a frame or iframe.                        -->
<!--                                                                       -->
<!-- This response header can also be configured for the PingFederate      -->
<!-- runtime application in response-header-admin-config.xml.              -->
<!--                                                                       -->
<!--    <con:map name="X-Frame-Options"> -->
<!--    <con:item name="value">SAMEORIGIN</con:item> -->
<!--    <con:item name="include-patterns"></con:item> -->
<!--    <con:item name="exclude-patterns"> -->
<!--    */idp/startSLO.ping;*/sp/startSLO.ping;*/idp/SLO.saml2;*/sp/SLO.saml2;*/idp/prp.wsf;*/sp/prp.wsf -->
<!--    </con:item> -->
<!--    </con:map> -->

<con:map name="Content-Security-Policy">
    <con:item name="value">script-src 'unsafe-inline' 'unsafe-eval' 'self'; img-src 'self'; style-src 'self'; base-uri 'self'; object-src 'self'; frame-ancestors 'self'; https://*.otherDomain.com ;</con:item>
    <con:item name="include-patterns">*</con:item>
</con:map>

The "https://*.otherDomain.com" should be replaced with domain values where you wish to load PingFederate pages inside an iFrame. They should point to domains that have been determined to be acceptable to load PingFederate inside of an iFrame. These can (and probably should) be further restricted to specific hosts, such as "https://host.otherdomain.com".

Please note the following are applicable to PingFederate 7:

  • As mentioned in the documentation link here, cluster replication does not load this change automatically on runtime engine nodes. As such, you will need to restart all the engine nodes if you are modifying a clustered environment.
  • Support has seen where caching inside the <install>/pingfederate/work directory prevents the proper loading of the new policy. If this happens, stop the runtime, delete the contents of the work directory, start the runtime, and test again.
  • Ping Support cannot and will not provide your organization with the directives and domains that you may need, and you should understand how CSP works before implementing. The directives are covered at W3C. There are a number of resources on the Internet that may assist you in configuring CSP, such as: https://csp-evaluator.withgoogle.com/ and https://www.html5rocks.com/en/tutorials/security/content-security-policy/.
Category:
PingFederate , 
KB or other URL: