Versions Compared

Old Version 96

changes.mady.by.user Former user

Saved on

compared with

New Version 97

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Warning
titleTesting Update

The testing methodology has been updated. All previous tests were run with the IdP configured to allow the storage of sessions in client side HTML local storage (idp.storage.htmlLocalStorage=true). This has the effect of enabling SSO when using the HTTP-POST binding even when cookies are defaulted to SameSite=Lax, or even when using server side session storage. Without it, SSO will fail when initiated using the HTTP-POST binding from a cross-site SP, and the user will be always presented with the login page. 

...

To test the affects of various SameSite settings, the following setup will be used:

  • Chrome Canary 78.0.3885.0 (Official Build) canary (64-bit), with #same-site-by-default-cookies set to enabled. This is to mimic what will become the default behaviour in Chrome 80 onward.
  • The IdP running in eclipse using the Java idp-testbed project.
    • Using idp-jetty-base with Jetty v9.3.
    • A new SAML2Controller InitSSO POST method/endpoint. This overwrites the destination URL with localhost, ignoring the baseURL of the servlet request.
  • A modified hosts file, that points the hostname of shibtest.com to 127.0.0.1 (localhost)
    • The SAML2Controller can then be accessed on a different top-level site than the IdP - to mimic a cross site request.
  • The standard IdP Password authentication flow.

...

  • [client-side-storage] - If htmlLocalStorage is set to false, HTTP-POST SSO will not work (show login page again) with defaulted SameSite=Lax IdP cookies.
  • [client-side-storage] - If htmlLocalStorage is set to true, and bean references in shibboleth.ClientStorageServices are left as they are, HTTP-POST SSO will work with defaulted SameSite=Lax
  • [server-side-storage] - If htmlLocalStorage is set to true, and bean references in shibboleth.ClientStorageServices are left as they are, HTTP-POST SSO will work with defaulted SameSite=Lax.
  • [server-side-storage] - If either htmlLocalStorage is set to false, or the bean references in shibboleth.ClientStorageServices are commented out, HTTP-POST SSO will not work (show login page again) with defaulted SameSite=Lax.


Therefore to try and guarantee SSO on existing installations of the IdP v3.X you should could enabled the HTML Local Storage plugin whether you use client-side storage or server-side storage by setting the idp.storage.htmlLocalStorage property to true in idp.properties, see StorageConfiguration for more information and any implications.

...