SSO and embedding

We have a Discourse instance set up with SSO (using SAML/Shibboleth), and I configured it to allow embedding content on another subdomain which also uses the same SSO.

Here is the problem I am experiencing:

  1. User visits a page on subdomain X, which embeds a topic from Discourse, which is hosted on subdomain Y.
  2. User is redirected to subdomain Z for SSO login. They are then redirected back to subdomain X.
  3. The page on subdomain X pulls in the JavaScript embed file, which creates an iframe that attempts to pull in the forum topic. However, Discourse (subdomain Y) redirects the iframe to subdomain Z for SSO, and since the user is already logged in it redirects back to the Discourse embed URL. But this results in a 400 “Error Embedding” error, since the referer URL now comes from subdomain Z (the SSO subdomain), instead of subdomain X (the domain that is approved/whitelisted for embedding). Discourse returns the messsage “The referer was either not sent, or did not match any of the following hosts”.
  4. When you refresh the page, everything works perfectly fine (i.e., the forum topic gets pulled in successfully), presumably because the browser now has a valid session cookie, which eliminates the need to redirect to the SSO subdomain.

Is there anything I can do to fix this properly? Right now I have a really terrible hack set up, which first attempts to load the forum topic into a hidden iframe, and then waits 1 second before actually loading the topic into the real page that is visible to the user.

Any help/suggestions would be appreciated!

Upon doing some further digging around, I wonder if a slightly less hacky solution would be to adapt the approach described by @simon in this post: Automatically login via SSO

  1. Enable “sso allows all return paths” setting
  2. Add a hidden iframe on my page, which loads https://discourse.example.com/session/sso?return_path=path_to_mypage.html
  3. When the user is logged in (no interaction, since the user already logged in via SSO into the app in the parent page) and the iframe is redirected to mypage.html, it can communicate to the parent page via postMessage() that the user has been logged into Discourse, and trigger the script to embed the forum topic.

Still doesn’t seem like the ideal solution, since it will generate extra round-trips (the above process is only really necessary if the user is not already logged into Discourse).

It seems to me like the ideal solution would be if it was somehow possible to preserve the referer URL of the embedding page when it gets redirected through SSO.

Edit: I implemented the improved “hack” described above in this post, and at the very least I can say it works much better than the original hack that I described in the OP.