ComponentSpace

Forums



SAML Cookie SameSite Testing with Chrome


SAML Cookie SameSite Testing with Chrome

Author
Message
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)

Group: Administrators
Posts: 2.4K, Visits: 6.8K
Configuring Chrome
Refer to the following link for information on testing the Chrome SameSite changes.
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html  

Also, be aware of the "Lax + POST" temporary intervention which allows cookies with a SameSite attribute to be sent on top-level cross-site POST requests if they are at most 2 minutes old. This time period may be reduced or entirely disabled.
https://www.chromium.org/updates/same-site

Testing was performed using Chrome 79 and the following flags enabled.



Testing with the SAML Library v3.x
The ExampleIdentityProvider and ExampleServiceProvider projects were published to IIS on separate sites (www.idp.com and www.sp.com respectively). Version 3.4.0 of the SAML library was used. However, the following is equally applicable to any version 3.x.

SP-initiated SSO was tested with a 2 minute delay before completing the login at the IdP (see "Lax + POST" intervention above).

The SAML session cookie is set at the SP. Note the SameSite attribute has not be set.



The SAML session cookie is not presented by the browser when control returns to the SP. Instead, a new SAML session cookie is set at the SP.



Next, the SAML HTTP Module was deployed along with the SP and its web.config updated accordingly.


<system.webServer>
  <modules>
  <add name="SAMLCookieHttpModule" type="ComponentSpace.SAML2.SAMLCookieHttpModule"/>
  </modules>
</system.webServer>



SP-initiated SSO was re-tested once again with a 2 minute delay before completing the login at the IdP.

The SAML session cookie is set at the SP. Note the SameSite attribute is now set to None. The Secure flag is also set.



The SAML session cookie is now presented by the browser when control returns to the SP. No SAML session state has been lost.




Regards
ComponentSpace Development
mlam
mlam
New Member
New Member (27 reputation)New Member (27 reputation)New Member (27 reputation)New Member (27 reputation)New Member (27 reputation)New Member (27 reputation)New Member (27 reputation)New Member (27 reputation)New Member (27 reputation)

Group: Forum Members
Posts: 15, Visits: 31
ComponentSpace - 1/19/2020
Refer to the following link for information on testing the Chrome SameSite changes.
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html  

Also, be aware of the "Lax + POST" temporary intervention which allows cookies with a SameSite attribute to be sent on top-level cross-site POST requests if they are at most 2 minutes old. This time period may be reduced or entirely disabled.
https://www.chromium.org/updates/same-site

Testing was performed using Chrome 79 and the following flags enabled.



The ExampleIdentityProvider and ExampleServiceProvider projects were published to IIS on separate sites (www.idp.com and www.sp.com respectively). Version 3.4.0 of the SAML library was used. However, the following is equally applicable to any version 3.x.

SP-initiated SSO was tested with a 2 minute delay before completing the login at the IdP (see "Lax + POST" intervention above).

The SAML session cookie is set at the SP. Note the SameSite attribute has not be set.



The SAML session cookie is not presented by the browser when control returns to the SP. Instead, a new SAML session cookie is set at the SP.



Next, the SAML HTTP Module was deployed along with the SP and its web.config updated accordingly.


<system.webServer>
  <modules>
  <add name="SAMLCookieHttpModule" type="ComponentSpace.SAML2.SAMLCookieHttpModule"/>
  </modules>
</system.webServer>



SP-initiated SSO was re-tested once again with a 2 minute delay before completing the login at the IdP.

The SAML session cookie is set at the SP. Note the SameSite attribute is now set to None. The Secure flag is also set.



The SAML session cookie is now presented by the browser when control returns to the SP. No SAML session state has been lost.





Hi 

I only managed to download Chrome 81 Beta and it has Cookies without SameSite must be secure.. Should I turn it on?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)ComponentSpace Development (3.4K reputation)

Group: Administrators
Posts: 2.4K, Visits: 6.8K
mlam - 1/25/2020
ComponentSpace - 1/19/2020
Refer to the following link for information on testing the Chrome SameSite changes.
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html  

Also, be aware of the "Lax + POST" temporary intervention which allows cookies with a SameSite attribute to be sent on top-level cross-site POST requests if they are at most 2 minutes old. This time period may be reduced or entirely disabled.
https://www.chromium.org/updates/same-site

Testing was performed using Chrome 79 and the following flags enabled.



The ExampleIdentityProvider and ExampleServiceProvider projects were published to IIS on separate sites (www.idp.com and www.sp.com respectively). Version 3.4.0 of the SAML library was used. However, the following is equally applicable to any version 3.x.

SP-initiated SSO was tested with a 2 minute delay before completing the login at the IdP (see "Lax + POST" intervention above).

The SAML session cookie is set at the SP. Note the SameSite attribute has not be set.



The SAML session cookie is not presented by the browser when control returns to the SP. Instead, a new SAML session cookie is set at the SP.



Next, the SAML HTTP Module was deployed along with the SP and its web.config updated accordingly.


<system.webServer>
  <modules>
  <add name="SAMLCookieHttpModule" type="ComponentSpace.SAML2.SAMLCookieHttpModule"/>
  </modules>
</system.webServer>



SP-initiated SSO was re-tested once again with a 2 minute delay before completing the login at the IdP.

The SAML session cookie is set at the SP. Note the SameSite attribute is now set to None. The Secure flag is also set.



The SAML session cookie is now presented by the browser when control returns to the SP. No SAML session state has been lost.





Hi 

I only managed to download Chrome 81 Beta and it has Cookies without SameSite must be secure.. Should I turn it on?

Yes. Enabled that flag too.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









Forums, Documentation & Knowledge Base - ComponentSpace


Search