How can the x-frame-options HTTP header of ADFS 3 be manipulated?
By default, ADFS 3 responses contain the "X-Frame-Options: DENY" HTTP header. This prevents ADFS from being run in an iframe, because this presents an opportunity for clickjacking attacks.
At the moment my company is however implementing an integration where an exception should be made to this security rule: pages on a certain domain should be able to embed ADFS in an iframe.
It seems however that ADFS does not allow changing this out-of-the box. So what is the best way to modify this HTTP header?
For example as suggested in the RFC (https://www.rfc-editor.org/rfc/rfc7034#section-2.3.2.3)?
A page that wants to render the requested content in a frame supplies its own origin information to the server providing the content to be framed via a query string parameter.
The server verifies that the hostname meets its criteria, so that the page is allowed to be framed by the target resource. This may, for example, happen via a lookup of a whitelist of trusted domain names that are allowed to frame the page. For example, for a Facebook "Like" button, the server can check to see that the supplied hostname matches the hostname(s) expected for that "Like" button.
The server returns the hostname in "X-Frame-Options: ALLOW-FROM" if the proper criteria was met in step #2.
The browser enforces the "X-Frame-Options: ALLOW-FROM" header.
Solution 1:
Use a web server as reverse proxy in front of the ADFS 3 and modify the HTTP header. This can be accomplished with Apache or Nginx. Test this thoroughly before delivering it, as ADFS 3 might not like having a proxy. I don't have a way to provide a Proof of Concept
It is one more server and service to manage, but I understand this is a requirement you must meet