I am experiencing an issue with Chrome only. A partner is using an IFRAME to hit our SSO endpoint. When this happens, the IFRAME’s content becomes:
<form method=“post” action=“”>https://qa-courseplayer.educatored.com/plplogin/samlacs">
<input type=“hidden” name=“RelayState” value=“”>https://qa-courseplayer.educatored.com/plplogin/CourseRedirect?courseId=114740">
NOTE: I have removed the SAML Response Value, but it is a valid response.
Then, chrome generates the following error:
send?sp=KDS-QA&SAMLRequest=[Valid Request Data]=https%3A%2F%2Fqa-courseplayer.educatored.com%2Fplplogin%2FCourseRedirect%3FcourseId%3D114740:1 Mixed Content: The page at ‘https://test.pepperpd.com/courses/PCGEducation/KDS1002/S2019/courseware/5b1cad121de741da9c4d38c442cfd76c/5d4b95a661d04e98ae9c340e05b89596/’ was loaded over HTTPS, but requested an insecure form action ‘http://qa-courseplayer.educatored.com/PlpLogin/Login?ReturnUrl=%2Fplplogin%2FCourseRedirect%3FcourseId%3D114740’. This request has been blocked; the content must be served over HTTPS.
I cannot figure out where the unsecured version of the login request is coming from. To be sure, it is not in the code-base as I’ve searched it, and I do not see it in the host application’s code when I inspect the code that I can see.
Any suggestions are welcomed.
Thanks!
CWM
I’m not sure. I suggest using Chrome browser developer tools (F12) to capture the network traffic to see what’s happening. Let me know what you find.