function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Marijus Gorinas 13Marijus Gorinas 13 

Single Sign-on (via Okta) refused to connect in Lightning for pages with iFrames

We recently rolled out lightning and anytime Classic UI or Visualforce Page is loaded in Lightning Experience, that part of the page does not load. This affects standard pages such as the ones found in Setup as well as Visualforce pages embedded in Lightning Record pages. This affects only 2 users in all browsers. Salesforce IT won't help us because they say this is a Single Sign-on issue and is not covered for 'standard customers'.

The error in Chrome's developer console says: 
  • Refused to Display: ..okta/com/app/salesforce/... in a frame because it set 'X-Frame-Options' to 'sameorgin'

I understand that the error means the same orgin flag was set in the reponse header, but I don't know how to fix it since this is standard Salesforce embedding (iframe) functionality.  Note, clickjack protection has been turned off.

Has anyone run into this issue?

User-added imageUser-added image
Todd Fredricks LiveTodd Fredricks Live
I have the same issue but it just started 2 days ago and have been on lightning and using okta for over a year.    Did you ever solve this?
Alejandro GarzaAlejandro Garza
Hello, could you please share any info on this if you were able to resolve it?
Harshita DwivediHarshita Dwivedi
I am getting same error, and I am a new admin user  added to org. looking for resolution
Earl MilamEarl Milam
This is an old thread, but I had the same issue this morning "suddenly".  I found this post, which started me on the path, then another Okta article which says if you turn on iframe embedding (okta overall setting) then that fixes this. (article here:  I turned on the iframe embedding in okta, and then when the user accessed the visual force page, he got a message that cookies were required and needed to be enabled.  When he checked his browser, for some reason, there were three cookies associated with our instance of salesforce that were blocked.  Once he allowed those, he was able to access the page.  Then I turned off the iframe embedding in Okta, and he was STILL able to access the page.

So... the root cause in my case was that the cookies from salesforce (or maybe okta, but related to our salesforce instance) were blocked.

That may not be the issue in all cases, but it solved the issue for me.
Earl MilamEarl Milam
I suppose it is possible that the original issue (i.e. okta not allowed in iframe) caused the cookies to be blocked... I cannot really say why they were blocked, but allowing them fixed the issue.