harrdou
commented
5 years ago SPs using Get Access along with the GA Language Cookie servlet that I provided in the GetAccess toolkit look to be OK.
This is because the toolkit recommends configuring GetAcceses to specify the language cookie service as the target for GAURI. So the behaviour is:
1) Upon receipt of the POST-ed SAML Response, GetAccess immediately redirects to the language cookie service 2) the browser sends a GET request to the language cookie service which does it's thing and then redirects to the "real" target URL with the language value in a query string. 3) The browser sends a GET request for the target URL, and since it is a GET and the new SameSite default is "Lax", the browser sends all the cookies it is supposed to.
So GetAccess SPs that follow the toolkit guide should be OK.
Greggomatic
ricardosaracino
Google is planning to introduce a change to how Chrome treats third party cookies by default:
https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
This change will cause issues with some SAML service providers that depend on a cookie to correlate a SAML response to a user session.
Further details are available via the following links:
https://chromestatus.com/feature/5088147346030592 https://web.dev/samesite-cookies-explained https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
A complication is that the recommended fix of setting SameSite=none on the cookie(s) will break browsers on Mac and iOS because of a different bug:
https://bugs.webkit.org/show_bug.cgi?id=198181
Relying parties can test to see if they are impacted as follows:
I've already confirmed that both the OpenAM fedlets for Java and.NET are affected. Hoping that RPs using other software can share the results of their testing.