Implementing SSO with Entra External ID in Embedded Applications Post Third-Party Cookie Deprecation

Question

We have a use case where we utilize Microsoft Entra External ID for Single Sign-On (SSO), supporting both federated and non-federated identity providers. In this setup, the client logs into their application using Entra External ID. Within the client’s application, our application is embedded as an iframe. Our app is a full-fledged web application with its own backend (not a single-page application).

We want to enable SSO for users accessing our app via the iframe, leveraging the fact that they are already authenticated in the client’s app.

However, with Chrome and other browsers phasing out third-party cookies, this approach no longer works as expected, since authentication tokens or session cookies from our domain are blocked in the iframe context.

What is the recommended or best practice approach to handle SSO in this scenario, given the third-party cookie restrictions?

Answer 1

Hi @Sandeep Gaur,

Thank you for contacting Q&A Forum. I would like to provide my findings and proposed solution:

Please note: access via an iframe to Entra ID (login.microsoftonline.com) is not permitted. There are no exceptions to this rule. Entra ID does not allow our sign-in pages to render inside of an iFrame. This is not a configurable option and no exceptions are allowed.

Enra ID sets "x-frame-options: deny" in response header. And this tells browser not to display the site within iframe to protect accounts from hijacking. Our suggestion is engaging your app development team to use full page redirection when connecting to login.microsoftonline.com, instead of the loading the page within an iframe.

Kindly let me know if this work for you and please let me know if you have any further questions.

If I have answered your question, please accept this answer as a token of appreciation and don't forget to give a thumbs up for "Was it helpful"!

Best regards,
Eric