Allowing Remedy SSO to open applications in iframes
To allow Remedy Single Sign-On to launch applications in iframes and in nested iframes, you must configure Remedy SSO server to allow launching applications from other domains.
Use cases overview
To enable Remedy SSO authentication flow of the a application in an iframe, you must configure the Allow-From Domains option on Remedy SSO server:
- Your application is launched in an iframe:
In this use case, your application is launched from a parent application in an iframe.
Your application is launched in a nested iframe:
In this use case, your application is launched in an iframe from the grandparent application.
This use case is not limited to launching application in iframes from a second-level hierarchy. The level of nested hierarchy is not restricted, and you can have a child application launched from a grandparent, grandgrandparent, etc.
System requirement prerequisite for applications in nested iframes
If you have applications in nested iframes, then the following requirement must be met before you enable the Remedy SSO configuration:
The child application must pass the following parameter in the GET call to the sub-child application: allow-from-domain=http://parentApplicationDomainName:port,http://ApplicationDomainName:port
The port value is not mandatory. If the port is not stated, then the default port is applied. The default port for HTTP is 80, the default port for HTTPS—443.
The value of this parameter must be URL-encoded.
To allow Remedy SSO server to launch applications in iframes
On Remedy SSO server, in Remedy SSO Admin Console, configure the Allow-From Domains option for your authentication type.
If you have authentication chains, then you must specify Allow-From Domain(s) for every authentication type in the chain.
If your application is nested in more than one iframe (see the grandparent-parent-child use case in the diagram), you must specify all domains in the Allow-From Domains field in the following order and format: <domain of the grandgrandparent>,<domain of the grandparent>, <domain of the parent>.
The possible values for Allow-From Domains settings are the following:
- * - wildcard. Allowed for all domains
- hostname - Allowed for specified domain, ignoring port
- hostname:port - Allowed for exact match host:port
proto://hostname:port - Allowed for exact match host:port (proto is ignored, the actual one is taken from the original referrer).
proto://hostname - If the port is not stated, then the default port is applied. The default port for HTTP is 80, the default port for HTTPS—443.