Duo Web iframe and Office (embedded) browsers

#1

The Microsoft Office “thick” clients (Word, Excel, etc. on MacOS, Windows, iPhone, Android) support enterprise logins to Office 365 with an embedded browser that’s launched when you try to sign-in.

If using the iframe as shown in https://duo.com/docs/duoweb

<iframe id="duo_iframe">
</iframe>

For our custom WebSSO, when the embedded browser attempts to render the html page with the iframe, it fails and the sign-up stops. A Microsoft employee wrote

https://blogs.technet.microsoft.com/office_integration__sharepoint/2018/02/26/officeword-excel-etc-fails-to-render-duo-multifactor-authentication-login-page/

(which seems to have disappeared from the website very recently, but I have the content appended below.)

In that blog the suggestion was a iframe element like

<iframe id="duo_iframe" src="/images/tiny.gif">
</iframe>

The difference being that a minimal image is initially inserted into the iframe. We found that this does fix the problem and people can sign-in from those browsers (and it still works on traditional ones).

So, I was wondering what the folks at Duo think of this, and if it appears to be reasonable, be officially documented?

(Here’s that blog’s content, including its (one) comment)

0 Likes

#2

Hi Phil,
I discussed this with our engineering team, and please be aware that we do not recommend setting the src on the iframe. It will fix this specific bug but can (and does) break other integrations.

We are actively working on a fix for this and will be releasing a new minor version of the Duo Web SDK that fixes this bug without breaking other integrations. I’ll follow up in this thread when that becomes available.

0 Likes