If your identity provider returns an *X-Frame-Options: Deny* header, then modern browsers will fail to load the sign-in form. This is by design within the web .