We have an web app that we add MS Teams as a tab. It uses AAD for logging in and the SAML2.0 protocol. When setting it up within our own company, it worked without a hitch, but when we tried to add it to the ecosystem of one of our clients, it fails during the login redirect with: "login.microsoftonline.com not allowed to be embedded". We believe the issue is coming from the X-FRAME-Options: DENY
screenshot
But it's working within our own ecosystem. I asked our client if they have any kind of custom safe-guards in place that might be driving this behaviour but the answer came back negative. Does anyone know where this option could be added in/ removed from? Browsing the net says that that's not something that can be removed, but it definitely is not present in our own setup.
Thanks in advance
Normal web SAML cannot work by definition in an iframe in Teams tab, it has to follow Teams tab supported auth as of now. Giving few reference that might help: Have a look at Single sign-on support for tabs - Teams | Microsoft Docs and Teams SSO sample.
Please refer this question for discussion - How to deal with a redirect in Microsoft Teams Tab
Related
I am trying to set up IBM Watson Assistant Web Chat and from the documentation, it seems pretty simple (just do the config and copy and paste the embed code) https://cloud.ibm.com/docs/assistant?topic=assistant-deploy-web-chat
However, I have found that when I paste this onto my website, navigating to a different page or reloading will just refresh the session. This is not what I want as I want the session to continue off from where it was in the chat (and for all this to be displayed in the window). I have tried looking through the detailed documentation as well, but there doesn't seem to be what I'm looking for: https://web-chat.global.assistant.watson.cloud.ibm.com/docs.html?to=
I have also tried passing in the userid but still on navigation the chat refreshes.
Does anyone know if there's a way to solve this? I really need a solution since the same problem occurs on the live chat integration I have set up with salesforce.
Thanks, in advance
A feature update to support session history is coming soon.
I have been developing a system in .NET MVC and have up until had no problems logging in; however today I tried to log in on Chrome and the form is not being submitted instead I get the following error in the console:
This page includes a password or credit card input in a non-secure context.
A warning has been added to the URL bar.
For more information, see [Link Here]
I have verified that the log in page works in another browser (Firefox) and can confirm there is no issue in that browser. Is there something I can do short of converting to a HTTPS site, this is a test server for the company I work at and so they don't use HTTPS on in development websites.
I would expect (as Uwe Keim mentions) that you'd want to heed the warning and maybe discuss with your colleagues WHY they aren't testing with HTTPS if they use (or will use) it in Live? Self signed certificates can be used for these things so it doesn't involve a cost for internal-only development kit.
If that is a no-win situation, perhaps you may gain some benefit by adding it to your trusted sites list?
I built some widgets and uploaded on my local marketplace, is there a way to share that?
And better is it possible to share a Mashup (the widget composition) without giving the
possibility to wiring to the user?
I mean the user should use an application layout without change anything.
You can make public your workspaces/dashboards following the steps documented in the user guide. Only the owner of a workspace will be able to modify it. I think this is what are you searching for.
Another option is to create a packaged mashup using the "Upload to my resources" option in the editor view:
Take a look to the "Advanced" tab, where you can block widgets (make them unremovable), block connections (make wiring connections unremovable) and embed used widgets/operator (by default packaged mashups depends on the user having installed all the required widgets/operators. This way you can distribute the widgets and operators used by the mashup in the same package).
However, take into account that this method is meant for sharing mashup templates, the user will always be able to add additional widgets and create new connections in the wiring view.
Once packaged, mashups/dashboards (and widgets and operators) can be uploaded to a WStore server (e.g. to the Store portal provided on FIWARE Lab) for sharing them with other users. The steps for making this is also described in the WireCloud's user guide.
I have the problem, revisited.
I have set up a working Marketplace instance (v2.3) but am unable to integrate it with Wirecloud. The marketplace is correctly registered but all the requests i am making to this Marketplace are throwing 502 error, even though i am actually able to see some results when querying the Marketplace server through a browser.
Indicatively, i can issue a GET command at http://:8080/FiwareMarketplace/v1/registration/stores/ and get an answer, but Wirecloud's internal APIs return a 502 (Bad Gateway).
Any idea on what might have gone wrong?
PS: This happens for WC v0.6.5. When upgrading to a newer (Beta) version of WC, everything seems to be performing as expected, i.e. the marketplace is correctly inserted and the stores are correctly retrieved and processed.
I'm implementing a mutual authentication for my client in order to solve not having to continually whitelist some of the agencies with a dynamic ip. The process works fine in all browsers that I've tried in the Windows environment (Windows 7).
The problem is that there is a popup for every time that the user goes to the site. On most browsers, this is a one time occurrence, when you first go to the site for the day. On Google Chrome, however, the popup occurs on what appears to be every POST/GET request. I found how to disable the popup for IE and FF with this link: http://docs.threerings.org.uk/wiki/Certificates_without_prompting, but there is still the problem with Chrome.
I've tried to install the certificate into the Trusted Root Certification Authorities, but I get an error message, "The import failed because the store was read-only, the store was full, or the store did not open correctly.".
If anyone has an idea on what I can do to get around the pop-up for Chrome, it would be greatly appreciated.
This is what you're looking for:
http://www.chromium.org/administrators/policy-list-3#AutoSelectCertificateForUrls
I could tell you how to do it exactly, but my honest opinion is that this is something you have to work out yourself. You need to know what is going on because you are more than likely to run into bugs (not bugs per-se but some undesired or unwanted results).
I have to admit that Google Chrome and Chromium are great browsers, but when it comes to client certificates, they have a lot of improvements to be made.
Just some extra info on this that may help people.
The first part references the CFBundleIdentifier which you can find in the Contents folder then info.plist. Click you Application and then show package contents then you should see it.
So I had to do this for Chromium for Tizen debugging below worked obviously use your CN name.
defaults write org.chromium.Chromium AutoSelectCertificateForUrls -array-add -string '{"pattern":"*","filter":{"ISSUER":{"CN":"Entrust Certification Authority"}}}'
We have a secure website (SSL) in which we want to make calls to google's map server. The map server is http not https and every time there is a refresh of this screen (every minute for us) IE pops up its annoying mixed content message (trying to view a site with secure and non-secure info).
What I am looking for is a way around this. For example, is there a way to proxy the request so that our internal request is https but the other side of the proxy is not secure? I'm trying essentially to spoof the data to trick the browser.
Any ideas here? The actual security of the end point is less important than avoiding the error message itself.
Thanks!
Don
There is a way to suppress this at browser level, which might not be desirable for you, but I thought I'd throw it out there. In IE, Tools | Internet Options | Security | Internet Zone | Custom dialog box, you can set the "Display mixed content" to Enable. It's probably on prompt right now. Again, this is a single user browser level setting, so probably will not work for you. This does open up a lot of problems security wise though, and most admins will not do this (DNS poisoning, m-i-m etc).
Your second option is to become a premier customer: http://code.google.com/apis/maps/faq.html#ssl
Your third option is to use Virtual Earth - which supports native SSL w/o any strings
EDIT see similar question: here
As of March 2011, the Google Maps API is available to everyone over SSL:
http://googlegeodevelopers.blogspot.com/2011/03/maps-apis-over-ssl-now-available-to-all.html
Here's the problem with that. Even though the API is SSL the thumbnail images the map has for locations are NOT ssl. So you can still get a message.
remove runat="server" from head, where you are using code to link API to your page