I'm working on a tool that embeds an iframe of an external app. The authentication to this external app is via SAML and Keycloak. However when using the iframe, the SAML request to Keycloak does not work: "... has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."
Scenario 1: Accessing the external app using the browser (normal way)
I get redirected to the Keycloak login page and after successful authentication, it redirects to the external app and everything works fine.
Scenario 2: Loading the external app using the iframe
The iframe is loaded and the Keycloak login page is shown. However, after entering the credentials, the triggered SAML request to Keycloak is blocked due to the CORS issue, see Failed SAML request to Keycloak within the iframe. Once I click on the failed URL (starting with "saml?SAMLRequest=...") and access it the normal way (browser), everything works fine.
I read on multiple sites, e.g. here Keycloak Access-Control-Allow-Origin, that you have to enter your webpage (in this case localhost:8080) to the Web Origin field within the Keycloak interface. This one only exists when choosing the openid-connect value in Client Protocol though. So, when switching from openid-connect to SAML, which I use, the Web Origin field disappears. I even tried to export the config file for that Keycloak client in order to manually enter the WebOrigin property, which did not work either. How can I change the CORS policy for this iframe when using SAML (not openid-connect) since I don't have access to the Web Origin field?
Thanks in advance!
