EmitSameSiteNone seems to be ignored

[PaulBol]

Setup

• ASP.NET Core 3.1 template application
• Sustainsys.Saml2 and Sustainsys.Saml2.AspNetCore2 2.9.0 NuGet packages added
• Authentication registered with

services.AddAuthentication(sharedOptions =>
    {
        sharedOptions.DefaultScheme = Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme;
        sharedOptions.DefaultSignInScheme = Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationDefaults.AuthenticationScheme;
        sharedOptions.DefaultChallengeScheme = Sustainsys.Saml2.AspNetCore2.Saml2Defaults.Scheme;
    })
    .AddSaml2(options =>
    {
        options.SPOptions.EntityId = new EntityId("https://mytest.com");
        options.Notifications.EmitSameSiteNone = (x) => true;
        options.IdentityProviders.Add(
            new Sustainsys.Saml2.IdentityProvider(
                new EntityId("https://stubidp.sustainsys.com/Metadata"), options.SPOptions)
            {
                SingleSignOnServiceUrl = new Uri("https://stubidp.sustainsys.com/"),
                Binding = Sustainsys.Saml2.WebSso.Saml2BindingType.HttpRedirect,
            });
        var certificate = new System.Security.Cryptography.X509Certificates.X509Certificate2(
            Convert.FromBase64String("MIICFTCCAYKgAwIBAgIQzfcJCkM1YahDtRGYsLphrDAJBgUrDgMCHQUAMCExHzAdBgNVBAMTFnN0dWJpZHAuc3VzdGFpbnN5cy5jb20wHhcNMTcxMjE0MTE1NDUwWhcNMzkxMjMxMjM1OTU5WjAhMR8wHQYDVQQDExZzdHViaWRwLnN1c3RhaW5zeXMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDSSq8EX46J1yprfaBdh4pWII+/E7ypHM1NjG7mCwFwbkjq2tpSBuoASrQftbjIKqjVzxtxETw802VJu5CJR4d3Zdy5jD8NRTesfaQDazX7iiqisfnxmIdDhtJS0lXeBlj4MipoUW6l8Qsjx7ltZSwdfFLyh+bMqIrwOhMWGs82vQIDAQABo1YwVDBSBgNVHQEESzBJgBCBBNba7KNF5wnXqmYcejn6oSMwITEfMB0GA1UEAxMWc3R1YmlkcC5zdXN0YWluc3lzLmNvbYIQzfcJCkM1YahDtRGYsLphrDAJBgUrDgMCHQUAA4GBAHonBGahlldp7kcN5HGGnvogT8a0nNpM7GMdKhtzpLO3Uk3HyT3AAIKWiSoEv2n1BTalJ/CY/+te/JZPVGhWVzoi5JYytpj5gM0O7RH0a3/yUE8S8YLV2h0a2gsdoMvTRTnTm9CnXezCKqhjYjwsmOZtiCIYuFqX71d/pg5uoJfs"));
        options.IdentityProviders.Default.SigningKeys.AddConfiguredKey(certificate);
    }).AddCookie();

Behavior

• Expected: Acs emits cookie with samesite=none
• Observed:

set-cookie: .AspNetCore.Cookies=CfDJ8Bdp...; path=/; secure; samesite=lax; httponly

I tried the same with EmitSameSiteNone = (x) => false with unchanged results.

[AndersAbel]

There are two different cookies used during the Saml2 login:

1. The correlation cookie set by the Saml2 handler to persist state during the login flow.
2. The session cookie set to preserve the session once logged on.

It's only the correlation cookie that is set directly by the Saml2 handler - that is the one controlled by the Saml2 EmitSameSiteNone callback. The session cookie is set by Asp.Net Core's cookie handler through the cookie manager - please consult that documentation on how to control the same site mode. And by the way, SameSite=Lax (which is the default) is both sound from a security perspective and has good compatibility across browsers. It i sonly the explicit SameSite=None that needs to be handled differently for some older browsers.

[PaulBol]

Alright, I see that I was barking up the wrong tree. Thanks for the swift clarification and sorry for my ignorance.