X-Frame-Options issue with Single Sign-On in Feedback Widget
Normally, remote login URLs open in a pop-up window. After successful authorization the pop-up closes and the user is logged in to the user portal.
However, if all authorization options, except SSO, are disabled and Anonymous Access is not allowed, Helprace doesn’t show a login prompt when an unauthenticated user visits the portal. Instead, it redirects the user to the remote login URL in the same window. This is considered best behavior for a smooth user experience.
There is one exception to this. When you’re using the Feedback Widget and the following is true:
- Anonymous Access is disabled
- Helprace Login is disabled
- Social Authentication is disabled
- Single Sign-On is enabled
- Your authentication provider returns at least one of these headers:
- X-Frame-Options: SAMEORIGIN
- X-Frame-Options: DENY
In this case, Helprace would normally have to redirect the user to the remote login URL once they launch the Feedback Widget. If your authentication provider blocks its login screen from opening in an iframe, users won't see the login screen. They'll most likely see a white screen within the widget.
In this case you need to force the remote login URL to open in a pop-up window. Once the user logs in, the pop-up is closed automatically and the user appears logged in in the Feedback Widget.
Please note that if you’re not using the Feedback Widget, it's recommended you keep this setting off, so that the user logs in without seeing any pop-ups.
If you have more than one login option enabled or Anonymous Access is allowed, this setting is irrelevant. It won’t change the behavior, as the remote login URL will be opened in a pop-up every time. That's why this setting is hidden in this case.