Chrome SameSite Cookie ChangeChrome version 80, which is scheduled for release in February 2020, includes a change that may impact SAML SSO.
In most versions of the SAML library, a cookie is used to maintain SAML session state in support of the SAML protocol. This cookie must have a SameSite mode of None.
In earlier releases of Chrome, the SameSite mode defaulted to None. The update defaults the SameSite mode to Lax.
Furthermore, if a SameSite mode of None is specified, Chrome requires the Secure attribute to be specified for the cookie.
For more details, please refer to the Background and ASP.NET Support sections below.
Determining the SAML Library VersionThe NuGet package manager identifies the product version being used. Alternatively, refer to
Determining the Product Version.
What to do if using SAML Library v4.xNo changes are required as SAML library v4.0.0 and above includes inbuilt support for SameSite=None.
If the application targets .NET framework v4.8 or later, the SAML library makes use of the .NET framework's support for SameSite. Otherwise, for earlier releases of the .NET framework, a workaround is employed to add SameSite support.
What to do if using SAML Library v3.x
Prior to v4.7.2, the .NET framework didn't support setting the SameSite mode.
However, SAML library v3.x supports .NET framework versions prior to v4.7.2 and consequently this .NET framework update isn't available.
To avoid the additional disruption of requiring an update to SAML for ASP.NET, a special HTTP module is available that adds the missing SameSite=None.
For example, the HTTP Module updates:
set-cookie: SAML_SessionId=59c203d2-8c64-4ac4-b664-6fb8a7320434; path=/; secure; httponly
To:
set-cookie: SAML_SessionId=59c203d2-8c64-4ac4-b664-6fb8a7320434; path=/; SameSite=None; secure; httponly
The HTTP module does this using a workaround as SameSite isn't supported by the earlier .NET framework API.
The HTTP module, including full source code, is available for download at:
SAML Cookie HTTP ModuleNote that the HTTP module is required even if your application targets .NET framework v4.7.2 or later as the SameSite support isn't included in the SAML library v3.x.
The following steps should be taken:
1. Copy the HTTP Module DLL to the application's bin folder.
2. To enable the HTTP module, update the application's web.config as follows.
<system.webServer>
<modules>
<add name="SAMLCookieHttpModule" type="ComponentSpace.SAML2.SAMLCookieHttpModule"/>
</modules>
</system.webServer>
3. Confirm that SameSite is working as described in the section below.
What to do if using SAML Library releases from v2.5.0 but earlier than v3.0.0
SAML library v2.5.0 introduced the SAML high-level API which uses a cookie to maintain SAML session state.
The ASP.NET session cookie, rather than a separate SAML session cookie, is used to maintain SAML session state.
The ASP.NET session cookie must include a SameSite value of None and should be marked as secure.
To achieve this:
1. Update the web server to the latest ASP.NET release (ie ASP.NET v4.8 or later) to pick up the runtime support for SameSite.
Note that the application may continue to target an earlier version of the .NET framework. For example, your application's project may continue to target .NET framework v4.0 but you need to update the web server to ASP.NET v4.8.
2. Ensure the web server is up to date and the KB article
4531182 and KB article
4524421 updates have been applied. This is also available through KB article
4535104.
Without the updates, the None value does not emit the SameSite cookie header.
For more information, refer to:
https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection?view=netframework-4.8https://docs.microsoft.com/en-us/dotnet/api/system.web.samesitemode?view=netframework-4.83. Update the application's web.config to specify the following.
<sessionState cookieSameSite="None" />
<httpCookies requireSSL="true"/>
4. Confirm that SameSite is working as described in the section below.
Without these changes, the SameSite parameter is missing or set to either Lax or Strict.
set-cookie: ASP.NET_SessionId=dwhtw4ajbxblp5pw5arwf0ww; path=/; HttpOnly
After these changes, the SameSite parameter is included.
set-cookie: ASP.NET_SessionId=2s2wesefh0cohv0ugctun4hl; path=/; secure; HttpOnly; SameSite=None
Note though that if the ASP.NET update hasn’t been installed on the web server, the unrecognized cookie SameSite attribute will result in an “Unrecognized attribute” configuration error at runtime.
These changes are not required if calling the SAML low-level API rather than the more commonly used SAML high-level API.
What to do if using SAML Library releases earlier than v2.5.0
SAML library releases prior to v2.5.0 support the SAML low-level API only. The SAML high-level API was introduced in v2.5.0. The SAML low-level API doesn't maintain SAML session state and therefore doesn't use a cookie.
Therefore, no changes are required to use the SAML library releases prior to v2.5.0.
Confirming Correct SameSite SupportIt's highly recommended that after making the required changes, the SameSite support is confirmed.
For example, use the Browser developer tools to capture the network traffic.
At the beginning of the SSO flow, there will be a Set-Cookie response header similar to the following.
set-cookie: SAML_SessionId=925a928f-1b6e-469a-9593-3a61d8b0b84d; path=/; SameSite=None; secure; HttpOnly
Ensure the SameSite=None and Secure attributes are present.
Older Browser SupportSome older browsers are incompatible with the SameSite mode of None.
In particular, older releases of Safari, prior to OSX Catalina or iOS 13, will fail if presented with a SameSite mode of None.
It's recommended that users upgrade to the latest OSX or iOS release.
Of course, this may not be possible and the SAML for ASP.NET 4.0.0 and SAML Cookie HTTP Module both include code to detect these older browsers and not include the SameSite mode in the cookie.
There are no known compatibility issues with recent versions of Chrome, Firefox or Edge.
https://www.chromium.org/updates/same-site/incompatible-clientsBackgroundA SAML session cookie is used to maintain SAML session state and support the SAML protocol.
A set-cookie header may include an optional SameSite attribute whose purpose is to help protect against cross-site request forgery attacks (CSRF).
SAML protocol exchanges are, in most use cases, cross-site. The identity provider (IdP) and service provider (SP) are different sites. Furthermore, these flows do not involve users clicking navigation links from one site to the other. For example, when an IdP sends an SP a SAML response, it returns a 200 HTTP response to the browser containing an HTML form and some JavaScript to automatically submit the form to the SP via an HTTP Post. From the browser's perspective, the current site is the IdP and destination site for the HTTP Post is the SP.
If the SAML session cookie is marked as SameSite=Strict, the browser won't include it with the SAML response as the sites are different. If the SAML session cookie is marked as SameSite=Lax, the browser still won't include it as this isn't considered a top-level navigation action. Specifically, the SameSite specification doesn't consider Post to be a safe HTTP method.
Consequently, the SAML session cookie must be created with a SameSite value of None.
These considerations aren't specific to SAML SSO or ASP.NET. Other external authentication protocols and other platforms potentially have the same issues.
Until recently, Chrome treated a missing SameSite parameter the same as if None had been specified. In other words, None was the default SameSite mode at the browser. Starting with Chrome version 80, SameSite will default to Lax and if a SameSite mode of None is specified, the Secure attribute must be specified for the cookie.
ASP.NET SupportPrior to v4.7.2, the .NET framework didn't support setting the SameSite mode.
For example:
set-cookie: SAML_SessionId=59c203d2-8c64-4ac4-b664-6fb8a7320434; path=/; secure; httponly
Microsoft identified this as an issue, given the impending change in browser support.
https://github.com/aspnet/AspNetCore/issues/12125Updates to the .NET framework are available that ensure a SameSite mode of None is included in the set-cookie header.
https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcookie.samesite?view=netframework-4.8For example:
set-cookie: SAML_SessionId=4987e404-617c-450c-8515-35d0b0a8f80c; path=/; secure; samesite=none; httponly
Referenceshttps://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00https://tools.ietf.org/html/draft-west-cookie-incrementalism-00https://blog.chromium.org/2019/10/developers-get-ready-for-new.htmlhttps://www.chromestatus.com/feature/5088147346030592https://www.chromium.org/updates/same-site/incompatible-clientshttps://github.com/aspnet/AspNetCore/issues/8212https://github.com/aspnet/AspNetCore/issues/12125https://github.com/dotnet/core/blob/master/release-notes/2.2/2.2.8/2.2.8.mdhttps://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesitehttps://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/