IdPCookieUsage
Various jurisdictions now require, at a minimum, that any cookies set/used by a service be documented. This page describes the two cookies used by the IdP.
Login Context Key
During the authentication process, the IdP will set a cookie named _idp_authn_lc_key
. This cookie contains only information necessary to identify the current authentication process (which usually spans multiple requests/responses) and is deleted after the authentication process completes.
Session Key
Once a user has been authenticated they will have a long-lived session with the IdP which is tracked by a cookie named _idp_session
. This cookie contains only information necessary for identifying the user's IdP session. This cookie is created as "session" cookie and will be removed when the browser chooses to remove such cookies (often when the browser is closed).
Cookie Scope
In both cases, the IdP cookie is declared such that standards-compliant browsers will only send the cookie to the IdP and only over HTTPS if that is the protocol used to communicate with the IdP.