Allowing BMC Helix SSO to open applications in iframes

BMC Helix Single Sign-On provides support for opening applications in iframes to cross-launch applications from different domains. To open the applications in iframes, you have to configure the BMC Helix Single Sign-On server to allow opening applications from domains other than the BMC Helix Single Sign-On server domain.

Supported types of iframe usage

You can configure BMC Helix Single Sign-On server to open applications in the following levels of the hierarchy:

  • Single-level hierarchy iframe—The application is opened in an iframe within the parent application. 
  • Multi-level hierarchy nested iframeThe application is opened from the grandparent application in an iframe that is displayed in an existing iframe within the parent application. Nested iframes support unlimited levels of hierarchy of iframes.

The following image shows the single-level and multiple-level implementations of iframe:

To configure BMC Helix SSO to open applications in iframes

  1. Log in to BMC Helix SSO server.
  2. Select the Realms tab, and click Edit to view the realm configuration. 
  3. On the Authentication tab, in ALLOW-FROM Domain(s) include all the external domains from which applications can be opened in an iframe.

    The setting can include any of the following values: 

    *wildcard. Allowed for all domains.
    hostnameAllowed for the specified domain. Port is ignored. 

    Allowed for exact match host:port.


    Allowed for exact match host:port (proto is ignored, the actual one is taken from the original referrer).


    If the port is not defined, the default port is applied. The default port for HTTPS is 443.

    • For single-level iframe, enter only the domain name of the parent application.
    • For nested iframe, specify the domain main in the following format and order:
      <domain of the great-grandparent>,<domain of the grandparent>,<domain of the parent>
    • For authentication chains, specify  Allow-From Domain(s)  for every authentication type in the chain.

  4. Set the following options for the cookie security for the tenant of the BMC Helix SSO server used to authenticate the application:
  5. For applications authenticated by the BMC Helix SSO agent, configure the sso-external-url via HTTPS in the file.
    For more information about configuring the external URL, see Configuring the BMC Helix SSO agent.
  6. For an OAuth2 multi-domain client, configure the Redirect URI for the application to use the HTTPS protocol.
    For more information about setting the Redirect URI, see Configuring OAuth 2.0.


For external requests from a parent application, the following parameter must be included in the GET call to the child application:

allow-from-domain= https://grandparentApplicationDomainName:port,http://parentApplicationDomainName:port

  • The port value is optional. If the port is not defined, the default port for HTTPS (443) is applied. 
  • The value of this parameter must be URL-encoded.
Was this page helpful? Yes No Submitting... Thank you