How can the x-frame-options HTTP header of ADFS 3 be manipulated?

active-directory http-headers adfs x-frame-options
8,358

Use a web server as reverse proxy in front of the ADFS 3 and modify the HTTP header. This can be accomplished with Apache or Nginx. Test this thoroughly before delivering it, as ADFS 3 might not like having a proxy. I don't have a way to provide a Proof of Concept

It is one more server and service to manage, but I understand this is a requirement you must meet

Share:
8,358

Related videos on Youtube

wkampmann
Author by

wkampmann

I'm a software development consultant with a background in the development of PHP and .NET web applications. Lately I'm focussing more on software architecture and development processes such as Scrum, continuous integration, and development process automation in general.

Updated on September 18, 2022

Comments

  • wkampmann
    wkampmann over 1 year

    By default, ADFS 3 responses contain the "X-Frame-Options: DENY" HTTP header. This prevents ADFS from being run in an iframe, because this presents an opportunity for clickjacking attacks.

    At the moment my company is however implementing an integration where an exception should be made to this security rule: pages on a certain domain should be able to embed ADFS in an iframe.

    It seems however that ADFS does not allow changing this out-of-the box. So what is the best way to modify this HTTP header?

    For example as suggested in the RFC (https://www.rfc-editor.org/rfc/rfc7034#section-2.3.2.3)?

    1. A page that wants to render the requested content in a frame supplies its own origin information to the server providing the content to be framed via a query string parameter.

    2. The server verifies that the hostname meets its criteria, so that the page is allowed to be framed by the target resource. This may, for example, happen via a lookup of a whitelist of trusted domain names that are allowed to frame the page. For example, for a Facebook "Like" button, the server can check to see that the supplied hostname matches the hostname(s) expected for that "Like" button.

    3. The server returns the hostname in "X-Frame-Options: ALLOW-FROM" if the proper criteria was met in step #2.

    4. The browser enforces the "X-Frame-Options: ALLOW-FROM" header.

    • raja
      raja almost 9 years
      Nope, I don't believe there is an option to change the default headers
  • wkampmann
    wkampmann about 8 years
    (ADFS 3 is using HTTPS. This makes changing the headers not possible without decrypting / reencrypting the HTTPS traffic.)
  • Brennen Smith
    Brennen Smith about 7 years
    Still possible - you would do L7 interception. So 443HTTPS -> Nginx -> 443HTTPS -> ADFS3. The nginx host would need the valid cert on it.
  • kamihack
    kamihack about 6 years
    As Brennen points out, if you are the local Administrator, you should have access to the SSL certificates and you could decrypt -> inject headers -> encrypt again
  • djdomi
    djdomi over 2 years
    could it be the wrong question for your answer?
  • djdomi
    djdomi over 2 years
    While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - From Review
  • Community
    Community over 2 years
    Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

AD FS and DC on same Server
What's the upgrade path for ADFS 2.1 to 3.0 (Server 2012 to 2012 R2)
AD FS Not Authenticating SAML Requests
SPN settings in a ADFS 3.0 lab setup
ADFS error after upgrading from ADFS 2.1 to 4.0
Issue connecting to AD FS configuration database
Using ADFS 2.0 for Google apps single sign on
Apache 2.4: Header unset in <Location> does not work
Office 365 ADFS authentication not working for child domains
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain