[Question] Leverage of iframe public server to private server SSO

[salmon-walker5]

Hello,

I am sorry if this is not the correct place, but since this is an evolving standard and embedded into chromium browsers I have a loaded question to ask:

Besides local server request and enforcement - is there anything related to this spec that may block SSO authentication between public and private servers if local host access is being asked for programatically - that is if we tell iframes to ask for access to a local SSO server - should it work? I know the GPOs are for user preference right? So that are not needed unless you do not want users to make decisions. Just looking for some clairfication here.

I am asking about all types of SSO chained communications. Java script etc.

[hubertchao]

Besides local server request and enforcement - is there anything related to this spec that may block SSO authentication between public and private servers if local host access is being asked for programatically - that is if we tell iframes to ask for access to a local SSO server - should it work?

Local server request and enforcement is what this spec is controlling for, not just for localhost, but also for servers hosted in the local IP address space (see here).

Whether tell[ing] iframes to ask for access to a local SSO server would work or not depends on the hosting location of the SSO server and specific implementation details about the iframe in question. You can look at the Chrome LNA FAQ for some general guidelines; your mileage may vary if you're looking at other browsers.

I know the GPOs are for user preference right?

Chrome maps certain GPO's to enterprise policies. That is not relevant for all users though.