...
Why Do Nothing?
Simply put, Apple. Fixing this today requires a very complex and to our mind unwarranted amount of User-Agent shenanigans or the immediate breakage of all older macOS and iOS Safari browsers, but this is less of a concern now. Fairly old Safari versions do not handle the SameSite header properly and will malfunction, but most of these versions are far enough back now to present a low risk. There are also some older Chrome versions affected on mobile. We don't think the work is worth the gain at present (unless you’re proxying of course). Waiting until those versions can be dismissed to deploy the SameSite workaround is in our view the simpler course of action to take, though of course that wait may be infinite, but again, fairly far back.
Of course, if you have to support applications that use frames around the IdP, then you may not have a choice, per the note above, and the same goes if you’re relying on SAML proxying.
Doing Something
The IdP includes a Java servlet filter class that can be deployed to work around Java's lack of SameSite support and auto-add the attribute to cookies in various ways. It does have a generic extension point for attaching a condition that can be used for User-Agent testing.
Note that current versions of Jetty and Tomcat both have proprietary and mutually incompatible methods for injecting SameSite into cookies, including JSESSIONID, but neither provides a practical means of doing so conditionally. As a result, we have no plans to support or make use of either of those mechanisms.
The filter is pre-installed by default now, but upgraded systems with web.xml modifications would need to import those additions from the delivered version. Even but even when present, it is disabled by default.
...