X-frame options

Context :: We embed our application that is behind Okta in an iframe within LivePerson.

Problem :: When a user lands on the page for the first time, the iframe shows blank. In the console, the error reads: “refused to display {URL} in a frame because it set ‘x-frame-options’ to ‘sameorigin’”. The user needs to open a new tab for the application, which then authenticates through Okta, before returning and refreshing for the LivePerson iframe to work.

Feature request // Solution :: The Okta proxy does not allow being <iframe>'ed for specific domains. It has a response header of: “X-Frame-Options: sameorigin”. Extend an option for Okta to allow for an alternate header: “X-Frame-Options: allow-from https://liveperson.net”. At the moment, it is only possible to allow all domains to embed or none at all.


Was there ever a solution to this? We have this exact problem, trying to embed OKTA-secured website content within Confluence.

We are doing the same here. We have an OKTA protected app by SAML and need to embed an OIDC app in an iframe. Currently, the 2FA is appearing in the iFrame. How do we prevent this from showing up ?