Do you have recommendations to overcome the recent "Allow IFrame embedding" security flag? Skip to main content
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Hadi ChemalyHadi Chemaly 

Do you have recommendations to overcome the recent "Allow IFrame embedding" security flag?

Our company develops a CTI package app for Salesforce. These apps are embedded in Salesforce as an iframe. Our CTI login is integrated with Okta authentication. We have customers who want to turn off Allow IFrame embedding for security reasons. If they do so, authentication does not complete, and the user is stuck at the login spinner.

Surely we cannot be the only Salesforce app that is integrated with Okta. How have Salesforce app builders overcome this?
Jaypee ManansalaJaypee Manansala (Okta)
Hi Hadi,

Thanks for posting your inquiries in Okta Community. Okta has enabled X-Frame-Option protection for all pages to protect against user interface redress attacks, or Clickjack attacks. To prevent such attacks, Okta no longer allows the embedding of pages rendered into iFrames by default. This is achieved by including the following special HTTP Response Header: X-Frame-Options: SAMEORIGIN. Setting this header one time ensures that pages are displayed in iFrames originate on the same parent Okta domain and prevents the display of such pages that do not originate on the same domain. Allowing iFrame embedding is being disabled by default for all new Okta Orgs, and the majority of existing Okta orgs.

For more information:

Please let me know if you need any additional information. Thank you.


Michael KellyMichael Kelly
It looks like this functionality doesn't work, as I am able to insert our company Okta page within an Iframe on a web page. Please readdress this issue please!!!

User-added image
Michael KellyMichael Kelly
Jaypee, please see above Clickjacking issue!
Matt EganMatt Egan (Okta, Inc.)
Hi Michael,

Can you confirm a setting for me.

Admin UI: Settings -> Customization -> IFrame Embedding
Allow IFrame embedding

If this is indeed unchecked and you are seeing that test work will you let me know.  If it is checked i would recommend confirming that you don't actually need to support iFrame embedding and then unchecking to remove this surface area of attack.