A relying party wants to build support for OIDC Session Management as per this spec :https://openid.net/specs/openid-connect-session-1_0.html#rfc.section.4.2
To do so, they are instructed by the spec to operate as follows:
>The RP also loads an invisible OP iframe into itself from the OP's check_session_iframe.
The check_session_iframe is a URL returned from the OIDC discovery document. In AM's case, it is something like this:
check_session_iframe : "http://am:80/openam/oauth2/connect/checkSession"
However it is currently impossible to load this URL in an invisible OP iframe, because AM responds with the header "X-Frame-Options:SAMEORIGIN". Given that this particular feature is designed exclusively to operate in the context of a frame, this header is inappropriate and should be removed.
Enable the OAuth2 Provider service and call /openam/oauth2/connect/checkSession. Note the presence of the X-Frame-Options:SAMEORIGIN response header.
No X-Frame-Options:SAMEORIGIN header.