SameSite=Lax breaks SAML-POST Binding

[oharsta]

Google has announced that in the upcoming Chrome 80 the default value for SameSite will be Lax. This will break the SAML POST Binding. Simple workaround for SP's who use cookies to reconcile the SAML Response it to use None value for SameSite. This however breaks this SAML flow with Safari.

The default behavior in DefaultCookieSerializer is to use Lax. Do we want to override this in spring-security-saml?

[fhanik]

Thank you for the report. I think it's best to have the user of the spring-security-saml library determine how cookies are set and what attributes are set on them as part of the configuration of the web application.

It's unfortunate that Safari and Chrome are out of step, but that should be resolved in timing.

A Pull Request against the samples would be beneficial, to show how to set the cookie values.

[fhanik]

Hi @oharsta , Please reopen if you believe that there is something we can do in the library. I believe it's part of the webapp configuration to set the cookie.