Add options for Cookie SameSite attribute

[tsujiguchitky]

Description

Starting with Google Chrome 80, scheduled for release in February 2020, the behavior of cookies will change. With Chrome 80, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Then, cookies are not set in POST requests from cross-domain.

Testing has shown that this change affects the following configurations and features:

• CDSSO + Session Upgrade + XUI OFF
  • Additional authentication fails because iPlanetDirectoryPro does not pass to OpenAM.
• SAML2 Authentication Module
  • Since AuthenticationStep does not pass to OpenAM, Internal Server Eerror occurs.
• SAML2 SLO
  • Logout is not performed because iPlanetDirectoryPro does not pass to OpenAM.
• SAML SP + SP-Init SSO + POST binding + amlbcookie as sticky session
  • amlbcookie is not passed, so a SAML response is passed to the server that did not issue the SAML request.

Solution

Add options to set SameSite=None to cookies that are affected when treated as Lax.

We are planning to add the following settings at this time.

• Default value of SameSite attribute
• SameSite setting list
  • Enable to specify each cookie in {Cookie Name}=(SameSite Value) format.

We should also consider processing for browsers that are not compatible with SameSite. In particular, macOS 10.14 and iOS 12 can be significantly affected.

References

• Chromium Blog: Developers: Get Ready for New SameSite=None; Secure Cookie Settings

• SameSite=None: Known Incompatible Clients - The Chromium Projects

• [OPENAM-15444] Prepare for Chrome's move to SameSite=lax by default