Visualization content fails to load in Fiori Launchpad when accessing CAD models

We’re experiencing a critical issue where visualization content fails to load in our Fiori Launchpad environment when users try to access CAD models through the visualization module. Users are seeing blank screens or ‘Not Authorized’ errors, even though they have the correct roles assigned.

The problem seems related to SSO cookie attributes and how they interact with the cross-domain iFrame policy in our Fiori Launchpad integration. When I check the browser console, I see CORS-related warnings and session validation failures.

Here’s what I’m seeing in the network trace:

Set-Cookie: MYSAPSSO2=...; Domain=.company.com; Secure
X-Frame-Options: SAMEORIGIN
Access-Control-Allow-Credentials: true

The visualization service is hosted on a different subdomain (viz.company.com) while Fiori runs on sap.company.com. Has anyone dealt with similar SSO cookie and iFrame configuration issues in SAP PLM 2020? Any guidance on proper cookie attributes or Launchpad settings would be greatly appreciated.

I’ve just gone through implementing a similar fix. Here’s the complete solution addressing all three areas:

SSO Cookie Attributes Configuration: First, update your SAP system profile parameters to set proper cookie attributes:

login/ticket_cookie_samesite = None
login/ticket_only_by_https = 1
icm/HTTP/sso_cookie_domain = .company.com

This ensures cookies work across subdomains in iFrame contexts.

Cross-Domain iFrame Policy: Modify your web server (IIS/Apache) configuration to replace X-Frame-Options with Content-Security-Policy:

Content-Security-Policy: frame-ancestors 'self' https://sap.company.com https://viz.company.com;

Remove or comment out the X-Frame-Options header entirely as CSP takes precedence.

Fiori Launchpad Integration: Update the Fiori Launchpad configuration in /UI5/THEME_DESIGNER and FLP settings:

1. Navigate to Fiori Configuration → Security Settings
2. Add viz.company.com to the list of trusted domains
3. Enable ‘Allow Embedded Content from Trusted Sources’
4. In the visualization app’s manifest.json, add:

"sap.fiori": {
  "frameOptions": {
    "allow": ["https://viz.company.com"]
  }
}

Session Propagation: Ensure your Identity Provider (IdP) configuration includes both domains:

• In transaction SAML2, add viz.company.com as a trusted service provider
• Configure assertion consumer service URLs for both domains
• Set RelayState parameter to maintain session context

Verification Steps:

1. Clear browser cache and cookies completely
2. Test with browser dev tools open (Network and Console tabs)
3. Verify SSO cookie is sent with visualization requests (check Cookie header)
4. Confirm no CORS errors in console
5. Check that iFrame loads without ‘X-Frame-Options’ blocking

After implementing these changes, restart your ICM and web server. The visualization content should now load properly within Fiori Launchpad. The key is ensuring all three layers (cookie attributes, frame policy, and Launchpad trust) are aligned. We tested this in SAP PLM 2020 SP12 and it resolved the blank screen and authorization errors completely.

I’ve seen this before. The SAMEORIGIN frame policy is blocking the embedded content. You need to update your HTTP headers to allow the visualization subdomain. Check your web server configuration for X-Frame-Options settings and consider switching to Content-Security-Policy with frame-ancestors directive instead.

We had the exact same problem last year. The issue is that Fiori Launchpad’s iFrame sandbox restrictions conflict with the visualization service’s authentication flow. You need to configure the Launchpad’s app descriptor to explicitly allow the visualization domain. Check your manifest.json for the visualization app and ensure crossNavigation settings are properly configured.

Looking at your network trace, the issue is multi-faceted. The X-Frame-Options SAMEORIGIN is definitely blocking cross-domain embedding. Additionally, Access-Control-Allow-Credentials being true requires that your requests include credentials, but the SameSite cookie policy might be preventing that. Check if your SAP system is on a recent support pack - there were fixes related to cookie handling in cross-domain scenarios around SP08 for 2020 version.

From a security perspective, you’re dealing with multiple layers here. First, the SSO cookie needs proper attributes for cross-subdomain access. Second, the iFrame embedding policy must allow the visualization domain. Third, session propagation between Fiori and the visualization service needs to be configured. I recommend checking your Identity Provider settings as well - sometimes the SAML assertion configuration doesn’t include the visualization service as a trusted relying party, which causes these authorization failures even when cookies are present.