This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 11%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKF%3C/text%3E%3C/svg%3E)
Chrome 83 have disabled Third Party Cookie in Incognito, and are looking to implement in the standard browser in Jan 2022. I'm looking for options around handling these requests which currently fail with Third Party Cookies disabled (In Firefox as well).
We have a website abcd.com that redirects to adfs.xyz.com and authenticates users on ADFS 4.0 and then takes the user back to abdc.com. This works successfully, but when we request content from content.xyz.com (Cross Site) it fails at adfs.xyz.com ADFS page with an "Refused to display https://adfs.xyz.com/adfs/ls/'in a frame because it set 'X-Frame-Options' to 'deny'"
Some of my thoughts where to do a URL Transform (rewrite) on the ADFS server and or Content Server, but I feel the requests from abcd.com to xyz.com would not be rewritten.
Is there a way to have multiple domains in the header of ADFS?
Or does the website need to be re-written without iFrames?
iFrames are blocked by default for authentication endpoints. It is so for security reasons.
That said, you can modify the headers that ADFS will return (even on ADFS for Windows Server 2016 as long you have the installed KB4493473 and KB4507459). See here for documentation.
Example:
Set-AdfsResponseHeaders -SetHeaderName "X-Frame-Options" -SetHeaderValue "allow-from https://www.example.com"