Embedding OAS Dashboard in an iFrame on another subdomain

Rav Singh

My requirement is to embed OAS dashboard in an iFrame on a web page hosted on a different subdomain.

OAS version - 2024.

Currently the dashboard is not loading and giving error:

-Refused to display 'https://oas.xyz.com/' in a frame because it set 'X-Frame-Options' to 'deny'.

Does OAS have any security setting where I can modify the frame options/frame ancestors settings?

Gianni Ceresa

Is the page doing the embedding behind something? F5, proxy or anything else? Because if yes, the domain you add in OAS could maybe be that one, not the F5 or proxy etc. Or maybe all of them, as in theory the embedding is done by the browser that sees those sites at their “public” address (not fully sure with such a complexity).

All the layers add complexity, making debugging quite annoying and not so simple.

Gianni Ceresa

In OAS SSO is managed fully outside OAS, by your OHS (or any other proxy you have in front).
Therefore you can look at how to set that header in your OHS config, you should have a place where you handle the SSO piece and then proxy to OAS.

Rav Singh

Thanks @Gianni Ceresa.

This is working after adding Content-Security-Policy: frame-ancestors, in OHS httpd.conf.

Gianni Ceresa

Did you add the domain of your page where your OAS is embedded as a safe domain in OAS enabling embedding?

In DV > Console > Safe Domains , add your "subdomain" there and enable the embedding (do not enable it for "All domains", keep your OAS a bit safe).

https://docs.oracle.com/en/middleware/bi/analytics-server/administer-oas/register-safe-domains-1.html

In old OBIEE there was a setting in instanceconfig.xml (InIFrameRenderingMode) that has been replaced by CSP , and in OAS CSP is managed via the safe domains page.

Rav Singh

Yes, that is the first thing I did.

Added "test.xyz.com", and enabled Embedding.

I have also tried adding <InIFrameRenderingMode>allow</InIFrameRenderingMode> and "frame-ancestors"directive under CSP in instanceconfig.xml.

Gianni Ceresa

A MOS document was simply saying that this checkbox should do the job…

I imagine you did restart your OAS after setting that? (Just to make sure settings are applied).

Do you access your OAS directly or you go through a proxy or something like that? (The error message you posted gives a domain but no ports are visible, and by default OAS doesn’t listen on port 443)

Rav Singh

Yes, restart was done.

This is F5 URL.

Gianni Ceresa

ah! There is a “thing” in between…

Did you check if your F5 isn’t messing with the headers set from OAS?

Often that kind of product does override those headers for security reasons (providing a central management of CSP etc. in F5).

Rav Singh

We tried embedding https://oas.xyz.com and it displayed the OHS home page.

But when we tried https://oas.xyz.com/analytics, then same error.

Gianni Ceresa

So, not only you have a F5, but you also have OHS in front of OAS?

You have so many layers in between that the error you get probably doesn’t come from OAS at all.

Each one of those layers can mess with your headers, remove them, override them.

If you do embed the real OAS link, does it work? If yes, then you are fixed: your issue is somewhere else, either OHS or F5. They are all different products doing various things.

Rav Singh

To rule out F5 and OHS messing up, we tested https://oas.xyz.com and it displayed fine in the iFrame.

I will try with direct OAS link and update here.

Thank you.

Rav Singh

We do not have single SSO across domains, so we have SAML configuration to authenticate OAS users.

If I do setup a SAML session first and then load iFrame, the dashboard is displayed without issues. This is success even without any Safe Domain.

So probably, here issue might be https://oas.xyz.com/saml2 is blocking frame first.

If I try to load bi-security-login page in iFrame then get error - ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

Where can CSP for /saml2 be modified?