We have a Discourse instance set up with SSO (using SAML/Shibboleth), and I configured it to allow embedding content on another subdomain which also uses the same SSO.
Here is the problem I am experiencing:
- User visits a page on subdomain X, which embeds a topic from Discourse, which is hosted on subdomain Y.
- User is redirected to subdomain Z for SSO login. They are then redirected back to subdomain X.
- The page on subdomain X pulls in the JavaScript embed file, which creates an iframe that attempts to pull in the forum topic. However, Discourse (subdomain Y) redirects the iframe to subdomain Z for SSO, and since the user is already logged in it redirects back to the Discourse embed URL. But this results in a 400 “Error Embedding” error, since the referer URL now comes from subdomain Z (the SSO subdomain), instead of subdomain X (the domain that is approved/whitelisted for embedding). Discourse returns the messsage “The referer was either not sent, or did not match any of the following hosts”.
- When you refresh the page, everything works perfectly fine (i.e., the forum topic gets pulled in successfully), presumably because the browser now has a valid session cookie, which eliminates the need to redirect to the SSO subdomain.
Is there anything I can do to fix this properly? Right now I have a really terrible hack set up, which first attempts to load the forum topic into a hidden iframe, and then waits 1 second before actually loading the topic into the real page that is visible to the user.
Any help/suggestions would be appreciated!