ComponentSpace

Forums



SAML Cookie SameSite Mode None


SAML Cookie SameSite Mode None

Author
Message
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3K reputation)ComponentSpace Development (3K reputation)ComponentSpace Development (3K reputation)ComponentSpace Development (3K reputation)ComponentSpace Development (3K reputation)ComponentSpace Development (3K reputation)ComponentSpace Development (3K reputation)ComponentSpace Development (3K reputation)ComponentSpace Development (3K reputation)

Group: Administrators
Posts: 2.1K, Visits: 5.4K
Chrome SameSite Cookie Change
Chrome version 80, which is scheduled for release in February 2020, includes a change that may impact SAML SSO.

SAML for ASP.NET Core uses a cookie to maintain SAML session state in support of the SAML protocol. This cookie must have a SameSite mode of None.

In earlier releases of Chrome, the SameSite mode defaulted to None. The update defaults the SameSite mode to Lax.

Furthermore, if a SameSite mode of None is specified, Chrome requires the Secure attribute to be specified for the cookie.

For more details, please refer to the Background and ASP.NET Core Support sections below.

What to do if using SAML for ASP.NET Core
To ensure SAML SSO continues to work with the latest browser releases, update to the latest .NET Core SDKs for v2.1, 2.2 and 3.0.

https://devblogs.microsoft.com/dotnet/net-core-november-2019/

No changes are required to the SAML library or the application code.

Refer to the Older Browser Support section if Safari on macOS 10.15 Mojave and iOS 12 are to be supported.

Confirming Correct SameSite Support
It's highly recommended that after making the required changes, the SameSite support is confirmed.

For example, use the Browser developer tools to capture the network traffic.

At the beginning of the SSO flow, there will be a Set-Cookie response header similar to the following.


set-cookie: saml-session=4987e404-617c-450c-8515-35d0b0a8f80c; path=/; secure; samesite=none; httponly



Ensure the SameSite=None and Secure attributes are present.

Older Browser Support
Some older browsers are incompatible with the SameSite mode of None.

In particular, older releases of Safari, prior to OSX Catalina or iOS 13, will fail if presented with a SameSite mode of None.

It's recommended that users upgrade to the latest OSX or iOS release.

Of course, this may not be possible and the following code may be added to your application Startup to handle this.

SameSite Startup Code

There are no known compatibility issues with recent versions of Chrome, Firefox or Edge.

https://www.chromium.org/updates/same-site/incompatible-clients

Background
A SAML session cookie is used to maintain SAML session state and support the SAML protocol.

A set-cookie header may include an optional SameSite attribute whose purpose is to help protect against cross-site request forgery attacks (CSRF).

SAML protocol exchanges are, in most use cases, cross-site. The identity provider (IdP) and service provider (SP) are different sites. Furthermore, these flows do not involve users clicking navigation links from one site to the other. For example, when an IdP sends an SP a SAML response, it returns a 200 HTTP response to the browser containing an HTML form and some JavaScript to automatically submit the form to the SP via an HTTP Post. From the browser's perspective, the current site is the IdP and destination site for the HTTP Post is the SP.

If the SAML session cookie is marked as SameSite=Strict, the browser won't include it with the SAML response as the sites are different. If the SAML session cookie is marked as SameSite=Lax, the browser still won't include it as this isn't considered a top-level navigation action. Specifically, the SameSite specification doesn't consider Post to be a safe HTTP method.

Consequently, the SAML session cookie must be created with a SameSite value of None.

These considerations aren't specific to SAML SSO or ASP.NET. Other external authentication protocols and other platforms potentially have the same issues.

Until recently, Chrome treated a missing SameSite parameter the same as if None had been specified. In other words, None was the default SameSite mode at the browser. Starting with Chrome version 80, SameSite will default to Lax and if a SameSite mode of None is specified, the Secure attribute must be specified for the cookie.

ASP.NET Core Support
If a SameSite mode of None is specified, earlier releases of ASP.NET Core don't set this property in the set-cookie header.

For example:


set-cookie: saml-session=59c203d2-8c64-4ac4-b664-6fb8a7320434; path=/; secure; httponly



Microsoft identified this as an issue, given the impending change in browser support.

https://github.com/aspnet/AspNetCore/issues/12125

Updates to the .NET Core SDK are available that ensure a SameSite mode of None is included in the set-cookie header.

For example:


set-cookie: saml-session=4987e404-617c-450c-8515-35d0b0a8f80c; path=/; secure; samesite=none; httponly



The updates are available via:

https://devblogs.microsoft.com/dotnet/net-core-november-2019/

If using .NET Core 2.2, the 2.2.207 update is required for Visual Studio 2019 and the 2.2.110 update is required for Visual Studio 2017.

If using .NET Core 3.0, the 3.0.101 update is required.

The fix is included in the .NET Core 3.1 release.

To determine which SDKs are installed, run:


dotnet.exe --list-sdks



For .NET Core 2.2, the following should be in the list:

2.2.207 [C:\Program Files\dotnet\sdk]

References
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
https://tools.ietf.org/html/draft-west-cookie-incrementalism-00

https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
https://www.chromestatus.com/feature/5088147346030592

https://github.com/aspnet/AspNetCore/issues/8212
https://github.com/aspnet/AspNetCore/issues/12125
https://github.com/dotnet/core/blob/master/release-notes/2.2/2.2.8/2.2.8.md

https://devblogs.microsoft.com/dotnet/net-core-november-2019/
https://dotnet.microsoft.com/download/dotnet-core/2.2
https://dotnet.microsoft.com/download/dotnet-core/3.0

https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/
https://docs.microsoft.com/en-us/aspnet/core/security/samesite?view=aspnetcore-3.1



Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









ComponentSpace Forums


Search