| Warning | ||
|---|---|---|
| ||
The testing methodology has been updated. All previous tests were run with the IdP configured to allow the storage of sessions in client side HTML local storage (idp.storage.htmlLocalStorage=true). This has the effect of enabling SSO when using the HTTP-POST binding even when cookies are defaulted to SameSite=Lax, or even when using server side session storage. Without it, SSO will fail when initiated using the HTTP-POST binding from a cross-site SP, and the user will be always presented with the login page. |
...
To test the affects of various SameSite settings, the following setup will be used:
- Chrome Canary 78.0.3885.0 (Official Build) canary (64-bit), with #same-site-by-default-cookies set to enabled. This is to mimic what will become the default behaviour in Chrome 80 onward.
- The IdP running in eclipse using the Java idp-testbed project.
- Using idp-jetty-base with Jetty v9.3.
- A new
SAML2ControllerInitSSO POST method/endpoint. This overwrites the destination URL withlocalhost, ignoring the baseURL of the servlet request.
- A modified hosts file, that points the hostname of shibtest.com to 127.0.0.1 (localhost)
- The
SAML2Controllercan then be accessed on a different top-level site than the IdP - to mimic a cross site request.
- The
- The standard IdP Password authentication flow.
...
In conclusion, the IdP should continue to function when its cookies are being defaulted to SameSite=Lax by browsers (currently tested on Chrome 78-81 and Firefox 72 with the same-site default flags set). Typically, we have only seen the IdP itself break when the JSESSIONID is set to SameSite 'Strict', which should not happen apart from with a bug in when explicitly trying to set SameSite=None with older versions of Safari on MacOS <=10.15 14 and all WebKit browsers on iOS 12 and lower <=12 (https://bugs.webkit.org/show_bug.cgi?id=198181). However with regards to achieving single-sign-on you may see degraded operation, and the following possibilities occur:
...