This is not the latest version of Identity Director documentation.View available documentation.
Display the Web Portal in an iframe of a website from another domain
These instructions replace the allowInFrame attribute (in the WebPortal.config file), which has been deprecated.
By default, the Web Portal uses the HTTP Response Header X-Frame-Options: SAMEORIGIN. This prevents display of the Web Portal in an iframe of a website from another domain and has been implemented for security reasons.
To allow display of the Web Portal in an iframe of a website from another domain in a secure way:
Identity Director 2020.0.0
- Browse to the installation folder of the Web Portal (located by default at C:\Program Files (x86)\RES Software\IT Store\Web Portal).
- Locate the Web.config file and open it, for example with Notepad.
- In the file, in the node <system.webServer><httpProtocol><customHeaders> :
- Locate the line <add name="X-Frame-Options" value="SAMEORIGIN"/></add>
Change it to:
<add name="X-Frame-Options" value="ALLOW-FROM https://mydomain1.com"/></add> - Edit the line that starts with <add name="Content-Security-Policy" to:
<add name="Content-Security-Policy" value="script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self' https://mydomain1.com https://mydomain2.com"/></add> - Replace the domains at frame-ancestors with the domain(s) that are allowed to display the Web Portal, but do not delete or change'self'.
- Locate the line <add name="X-Frame-Options" value="SAMEORIGIN"/></add>
- Save your changes.
If you get an 'Access denied' error, start Notepad using Run as administrator, open the file from there and return to step 3.
Changes to the Web.config file will be overwritten at the each upgrade of Identity Director.
Identity Director 2020.0.1 and higher
- Browse to the installation folder of the Web Portal (located by default at C:\Program Files (x86)\RES Software\IT Store\Web Portal).
- In the Config folder, locate the WebPortal.config file and open it, for example with Notepad.
- In the file, find the node <application> and remove its attribute allowInFrame="true", if it exists.
- Also in the node <application>:
- Create a new node named <overwriteHttpHeaders>
- Inside that node, add the lines:
- <add name="X-Frame-Options" value="ALLOW-FROM https://mydomain1.com"/></add>
- <add name="Content-Security-Policy" value="script-src 'self' 'unsafe-inline' 'unsafe-eval'; frame-ancestors 'self' https://mydomain1.com https://mydomain2.com"/>
- Replace the domains at frame-ancestors with the domain(s) that are allowed to display the Web Portal, but do not delete or change'self'.
- Save your changes.
If you get an 'Access denied' error, start Notepad using Run as administrator, open the file from there and return to step 3.
- Microsoft Internet Explorer does not support the HTTP Response Header Content-Security-Policy. It will use the X-Frame-Options header, which only supports one domain.
- Most other browsers will use the header Content-Security-Policy, which supports multiple domains.