I have set up an SAML connection for authenticating External Users, and I am able to redirect the users to Workshop Applications in my Foundry instance.
However, when I change the Home page URL configuration for this org’s users in Control Panel from:
Using the subdomain as a home page doesn’t work because the cross-origin redirect is blocked as a security measure.
Maybe you could have the OSDK app embedded in an iframe in a Workshop app? Or keep the Workshop app as the home page but have it redirect the user to the subdomain after authentication?
I think you might be missing the step detailed at https://www.palantir.com/docs/foundry/workshop/widgets-iframe.
You will need to configure the content security policy (CSP) in order to iframe external resources in your Foundry environment. The external resource itself must also set a frame-ancestors directive for the Content-Security-Policy header that allows your Foundry URL to embed the resource. If you are using a URL external to your Foundry environment that makes requests to Foundry APIs, you must additionally configure cross-origin resource sharing (CORS).
For you, this should be something like:
Go to DeveloperConsole → select the application → WebsiteHosting → Advanced tab → ContentSecurityPolicy
Add a frame-ancestors directive that includes the main Foundry URL: frame-ancestors https://mystack.palantirfoundry.com
Re-deploy the website so the updated CSP is applied
Below is the output from the console. I have replaced the identifiers, if you want exact details I have also an open issue ticket that no one has responded to yet.
fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:3 foundry.objects.workshop.app.useInvalidateCachesOnBranchChange: Error invalidating caches while switching ontology branch: packageName=@foundry/workshop-core SafeError: Expected module state to exist
at S (fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:5:1543937)
at wN.O [as getScenarioReferences] (fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:5:1327292)
at wN.invalidateAll (fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:5:931187)
at Object.onInvalidateAll (fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:5:1010792)
at fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:3:168057
at Array.map ()
at o.notifyListeners (fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:3:80800)
at Object.onInvalidateAll (fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:3:168036)
at fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:3:277507
at Array.map ()
error @ fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:3
fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:2 ERROR foundry.objects.workshop.app.useInvalidateCachesOnBranchChange Error invalidating caches while switching ontology branch Object
SafeError: Expected module state to exist
at S (fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:5:1543937)
at wN.O [as getScenarioReferences] (fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:5:1327292)
at wN.invalidateAll (fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:5:931187)
at Object.onInvalidateAll (fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:5:1010792)
at https://prod.myapp.example.com/assets/content-addressable-storage/frontend/fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:3:168057
at Array.map ()
at o.notifyListeners (fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:3:80800)
at Object.onInvalidateAll (fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:3:168036)
at https://prod.myapp.example.com/assets/content-addressable-storage/frontend/fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:3:277507
at Array.map ()
logToConsole @ fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:2
44c71ea536a1d2c1964bed6d1deb5802a0532ee0553e211095fbdfcd8ad9167a.js:2 [Blueprint] useHotkeys() was used outside of a context. These hotkeys will not be shown in the hotkeys help dialog.
(anonymous) @ 44c71ea536a1d2c1964bed6d1deb5802a0532ee0553e211095fbdfcd8ad9167a.js:2
fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:5 Initial load: 1180.199999988079ms (870ms JS time)
fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:5 Unable to parse url: . TypeError: Failed to construct ‘URL’: Invalid URL
at fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:5:5708
at T.render (fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:5:5789)
at uS (9df6a9d67f47662163354307c6942c1bcbbb87ccc86cba0d6f5e925dcf7e1cc3.js:1:75980)
at uw (9df6a9d67f47662163354307c6942c1bcbbb87ccc86cba0d6f5e925dcf7e1cc3.js:1:75778)
at o3 (9df6a9d67f47662163354307c6942c1bcbbb87ccc86cba0d6f5e925dcf7e1cc3.js:1:120533)
at oq (9df6a9d67f47662163354307c6942c1bcbbb87ccc86cba0d6f5e925dcf7e1cc3.js:1:99218)
at oQ (9df6a9d67f47662163354307c6942c1bcbbb87ccc86cba0d6f5e925dcf7e1cc3.js:1:99088)
at oF (9df6a9d67f47662163354307c6942c1bcbbb87ccc86cba0d6f5e925dcf7e1cc3.js:1:94161)
at S (9df6a9d67f47662163354307c6942c1bcbbb87ccc86cba0d6f5e925dcf7e1cc3.js:1:136963)
at z (9df6a9d67f47662163354307c6942c1bcbbb87ccc86cba0d6f5e925dcf7e1cc3.js:1:137493)
(anonymous) @ fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:5
fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:2 Unexpected object: core/iframe-url
i @ fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:2
fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:2 Unexpected object: core/iframe-url
i @ fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:2
fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:2 Unexpected object: core/iframe-url
i @ fc1111c24036e5fa7a0a050ee8d0c6275490ab6a5c129150c7f3848a2c6d4289.js:2
9df6a9d67f47662163354307c6942c1bcbbb87ccc86cba0d6f5e925dcf7e1cc3.js:1 Framing ‘https://mystack.palantirfoundry.com/’ violates the following Content Security Policy directive: “frame-src ‘self’ mailto: blob: https://dalgona-containers.palantirfoundry.com https://demo.mystack.palantirfoundry.com/ https://sandboxes-dalgona.palantirfoundry.com”. The request has been blocked.
Framing ‘https://mystack.palantirfoundry.com/’ violates the following Content Security Policy directive: “frame-src ‘self’ mailto: blob: https://dalgona-containers.palantirfoundry.com https://demo.mystack.palantirfoundry.com/ https://sandboxes-dalgona.palantirfoundry.com”. The request has been blocked.
Are you trying to iframe your Foundry instance at all within your OSDK React application?
@amish
Not sure if I understand your question but I have only iframed my osdk app in workshop. And for the OSDK app’s CSP my stack is present in frame-ancestors (see attached image in previous comment)
but the whole thing is my external user coming via third party authentication service, via SAML, and then I assign them to an organization for that org the homepage is a workshop in which i have now iframed the osdk app.
I have added exact details in the issue support ticket that I have raised, if you can look into that you can get a better idea.
that allows your Foundry URL to embed the resource. If you are using a URL external to your Foundry environment that makes requests to Foundry APIs, you must additionally configure cross-origin resource sharing (CORS).