End-user login fails with 'login failed' after enabling JavaScript with VIP on Windows Server 2019 AD FS. The loading of “https://your.IdP.example:8233/vipssp/trustedserviceaccess” in a frame is denied by “X-Frame-Options“ directive set to “SAMEORIGIN“.

To protect against common security vulnerabilities and provide administrators the ability to take advantage of the latest advancements in browser-based protection mechanisms, AD FS 2019 added the functionality to customize the HTTP security response headers sent by AD FS. This is accomplished through the introduction of two new cmdlets: Get-AdfsResponseHeaders and  Set-AdfsResponseHeaders. This is expected in environments where users can external AD FS-protected resources externally.

Enabling the browser developer tools (F12), then clicking on the CONSOLE tab during login attempts will expose the URL the AD FS server is blocking. This blocked URL needs to be added to the AD FS response headers. 

Modify the content security policy header on the primary 2019 AD FS server to allow the VIP User Service URL (https://userservices.vip.symantec.com, ) and the IdP URL. The URLs in red can be removed or modified to include or exclude the URL(s) being blocked within your ADFS environment. 

Sample IAScript.js file snippet: 

<script type="text/javascript" src="https://userservices.vip.symantec.com/vipuserservices/resources/js/v_1_0/vip?appId=123456789&idpURL=https://yourVIPEGIdP.example.com:443/vipssp/trustedserviceaccess&autoIntegration=manual"></script>

Run the following Powershell command on your primary AD FS server:

Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src 'self' https://userservices.vip.symantec.com https://userservices.cl.vip.symantec.com https://userservices.vip.csp01.saas.broadcom.com https://yourVIPEGIdP.example.com 'unsafe-inline' 'unsafe-eval' script-src; img-src 'self' data:; "

To confirm the settings, execute Get-AdfsProperties from Powershell and review the ResponseHeaders property:

ResponseHeaders: {[Content-Security-Policy, default-src 'self' https://userservices.vip.symantec.com https://userservices.cl.vip.symantec.com https://userservices.vip.csp01.saas.broadcom.com https://yourVIPEGIdP.example.com  'unsafe-inline' 'unsafe-eval' script-src; img-src 'self' data:;], [X-Frame-Options, allow-from https://userservices.vip.symantec.com]}

Restart the AD FS service. The secondary AD FS server(s) in the farm should inherit this setting from the primary AD FS server.

(Note: To avoid AD FS credential caching conflicts, test authentications in a new private or incognito window).