Project Status: Underway
Support for SSO integrations within an iFrame window will be discontinued, specifically for MFA challenges. The IAM team is currently evaluating critical services and applications that rely on iFrame-based integrations for Duo MFA authentication. An end-of-support date will be announced once that evaluation is complete. Our goal is to ensure that any future changes are implemented in a manner that minimizes disruption to University services while maintaining appropriate security protections.
Background
iFrames are a security risk for both the embedding and embedded sites. “Clickjacking” and phishing are specific risks that we are mitigating for sites that may have embedded a Duo MFA authentication. In addition, Duo security key features require us to end iFrame support.
Who Is Affected?
- Web application developers and web service owners and managers.
- Websites or portals that directly embed other PennKey-protected applications or Duo MFA integrated applications.
Impact & Actions Needed
- If your application uses SSO within an iFrame, plan for a future transition away from this configuration, as support for this functionality will eventually be discontinued.
- Application owners should review their environments and identify any dependencies on Duo MFA authentication within iFrames.
- You’ll need to change this setup following general web application practices (e.g., authentication before iFrame or removing iFrame layers from content).
What Happens If No Action Is Taken
- Users may lose access to embedded content and will receive error messages like the following:
Help & Resources
- Support Providers may contact ISC Client Care for issues.
- Duo Knowledge Base article on iFrames.