Cross domain with an Iframe, pointing to SSO server

Question

I have an application where I am displaying some stuff in javascript modals using jquery. It requires the user to login for certain flows; but the user never leaves the modal.

So here is what we do currently.

1. During user flow if the user needs to be logged in, we hide the current div and show a login div
2. Keep a hidden iframe with Source link as that of our SSO server.
3. Once user submits the form, we submit the hidden iframe to the SSO server
4. If user gets logged in we proceed with the flow.

Problem is when there is error logging in. We need to get the error codes from the hidden iframe of the page; but because we don't control the content inside iframe, and it's returned by SSO server; we don't know how to read it since it's cross domain.

Any insights?

Answer 1

Use JSONP to callback the function you prevented in your website, then in the iframe, you just need to invoke the javascript function: "parent.callback()".

Answer 2

You can't get around x-domain restrictions unless you use the jsonp protocol.

Could the user simply see the error response on page? Why do you have the iframe hidden atm?

Are you trying to silently log in the user to another system using the iframe technique?

Even though that might work on most browsers - some browsers won't pass cookies in i-frames - making this approach not a good broad audience solution.

Let me know if I can clarify.

Answer 3

So long as there is not client side script being executed from the SSO party you do not need the iframe. The point of using an iframe for security is to prevent AJAX methods from ignoring single origin policy and circumventing SSL encryption. The answer is to remove the iframe. Request the SSO data from the server side and send it to the client from your server as the page is built.