Forums, Documentation & Knowledge Base - ComponentSpace

SAML Cookie SameSite Testing with Chrome


http://componentspace.com/Forums/Topic10603.aspx

By ComponentSpace - 1/19/2020

Configuring Chrome
Refer to the following link for information on testing the Chrome SameSite changes.
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html  

Also, be aware of the "Lax + POST" temporary intervention which allows cookies with a SameSite attribute to be sent on top-level cross-site POST requests if they are at most 2 minutes old. This time period may be reduced or entirely disabled.
https://www.chromium.org/updates/same-site

Testing was performed using Chrome 79 and the following flags enabled.



Testing with the SAML Library v3.x
The ExampleIdentityProvider and ExampleServiceProvider projects were published to IIS on separate sites (www.idp.com and www.sp.com respectively). Version 3.4.0 of the SAML library was used. However, the following is equally applicable to any version 3.x.

SP-initiated SSO was tested with a 2 minute delay before completing the login at the IdP (see "Lax + POST" intervention above).

The SAML session cookie is set at the SP. Note the SameSite attribute has not be set.



The SAML session cookie is not presented by the browser when control returns to the SP. Instead, a new SAML session cookie is set at the SP.



Next, the SAML HTTP Module was deployed along with the SP and its web.config updated accordingly.


<system.webServer>
  <modules>
  <add name="SAMLCookieHttpModule" type="ComponentSpace.SAML2.SAMLCookieHttpModule"/>
  </modules>
</system.webServer>



SP-initiated SSO was re-tested once again with a 2 minute delay before completing the login at the IdP.

The SAML session cookie is set at the SP. Note the SameSite attribute is now set to None. The Secure flag is also set.



The SAML session cookie is now presented by the browser when control returns to the SP. No SAML session state has been lost.


By ComponentSpace - 1/25/2020

mlam - 1/25/2020
ComponentSpace - 1/19/2020
Refer to the following link for information on testing the Chrome SameSite changes.
https://blog.chromium.org/2019/10/developers-get-ready-for-new.html  

Also, be aware of the "Lax + POST" temporary intervention which allows cookies with a SameSite attribute to be sent on top-level cross-site POST requests if they are at most 2 minutes old. This time period may be reduced or entirely disabled.
https://www.chromium.org/updates/same-site

Testing was performed using Chrome 79 and the following flags enabled.



The ExampleIdentityProvider and ExampleServiceProvider projects were published to IIS on separate sites (www.idp.com and www.sp.com respectively). Version 3.4.0 of the SAML library was used. However, the following is equally applicable to any version 3.x.

SP-initiated SSO was tested with a 2 minute delay before completing the login at the IdP (see "Lax + POST" intervention above).

The SAML session cookie is set at the SP. Note the SameSite attribute has not be set.



The SAML session cookie is not presented by the browser when control returns to the SP. Instead, a new SAML session cookie is set at the SP.



Next, the SAML HTTP Module was deployed along with the SP and its web.config updated accordingly.


<system.webServer>
  <modules>
  <add name="SAMLCookieHttpModule" type="ComponentSpace.SAML2.SAMLCookieHttpModule"/>
  </modules>
</system.webServer>



SP-initiated SSO was re-tested once again with a 2 minute delay before completing the login at the IdP.

The SAML session cookie is set at the SP. Note the SameSite attribute is now set to None. The Secure flag is also set.



The SAML session cookie is now presented by the browser when control returns to the SP. No SAML session state has been lost.





Hi 

I only managed to download Chrome 81 Beta and it has Cookies without SameSite must be secure.. Should I turn it on?

Yes. Enabled that flag too.