7

By default, ADFS 3 responses contain the "X-Frame-Options: DENY" HTTP header. This prevents ADFS from being run in an iframe, because this presents an opportunity for clickjacking attacks.

At the moment my company is however implementing an integration where an exception should be made to this security rule: pages on a certain domain should be able to embed ADFS in an iframe.

It seems however that ADFS does not allow changing this out-of-the box. So what is the best way to modify this HTTP header?

For example as suggested in the RFC (https://www.rfc-editor.org/rfc/rfc7034#section-2.3.2.3)?

  1. A page that wants to render the requested content in a frame supplies its own origin information to the server providing the content to be framed via a query string parameter.

  2. The server verifies that the hostname meets its criteria, so that the page is allowed to be framed by the target resource. This may, for example, happen via a lookup of a whitelist of trusted domain names that are allowed to frame the page. For example, for a Facebook "Like" button, the server can check to see that the supplied hostname matches the hostname(s) expected for that "Like" button.

  3. The server returns the hostname in "X-Frame-Options: ALLOW-FROM" if the proper criteria was met in step #2.

  4. The browser enforces the "X-Frame-Options: ALLOW-FROM" header.

wkampmann
  • 71
  • 1
  • 5

2 Answers2

1

Use a web server as reverse proxy in front of the ADFS 3 and modify the HTTP header. This can be accomplished with Apache or Nginx. Test this thoroughly before delivering it, as ADFS 3 might not like having a proxy. I don't have a way to provide a Proof of Concept

It is one more server and service to manage, but I understand this is a requirement you must meet

kamihack
  • 312
  • 1
  • 6
  • 3
    (ADFS 3 is using HTTPS. This makes changing the headers not possible without decrypting / reencrypting the HTTPS traffic.) – wkampmann Apr 21 '16 at 10:44
  • 1
    Still possible - you would do L7 interception. So 443HTTPS -> Nginx -> 443HTTPS -> ADFS3. The nginx host would need the valid cert on it. – Brennen Smith May 20 '17 at 04:27
  • As Brennen points out, if you are the local Administrator, you should have access to the SSL certificates and you could decrypt -> inject headers -> encrypt again – kamihack May 01 '18 at 19:24
0

Set-AdfsResponseHeaders cmdlet has been added by Microsoft:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/customize-http-security-headers-ad-fs

  • could it be the wrong question for your answer? – djdomi Nov 04 '21 at 17:54
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/501846) – djdomi Nov 04 '21 at 17:55
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Nov 11 '21 at 15:44