Any intruder can call Identity Server portal login pages or the pages delivered by Access Gateway ESP with the default Identity Server configuration from an HTML iFrame. To prevent this vulnerability, disable Cross-Frame Scripting (XFS) for both Identity Server and Access Gateway ESP.
For information about how to disable it, see the following sections:
Identity Server: Section 3.14, Preventing Clickjacking and XFS Attacks
Access Gateway ESP: Section 4.9, Disabling XFS in Access Gateway ESP
Protected resources: Section 4.10, Disabling XFS for Resources Protected by Access Gateway