Refer to the following link for information on testing the Chrome SameSite changes.https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
Also, be aware of the "Lax + POST" temporary intervention which allows cookies with a SameSite attribute to be sent on top-level cross-site POST requests if they are at most 2 minutes old. This time period may be reduced or entirely disabled.https://www.chromium.org/updates/same-site
Testing was performed using Chrome 79 and the following flags enabled.Testing with the SAML Library v3.x
The ExampleIdentityProvider and ExampleServiceProvider projects were published to IIS on separate sites (www.idp.com and www.sp.com respectively). Version 3.4.0 of the SAML library was used. However, the following is equally applicable to any version 3.x.
SP-initiated SSO was tested with a 2 minute delay before completing the login at the IdP (see "Lax + POST" intervention above).
The SAML session cookie is set at the SP. Note the SameSite attribute has not be set.
The SAML session cookie is not presented by the browser when control returns to the SP. Instead, a new SAML session cookie is set at the SP.
Next, the SAML HTTP Module was deployed along with the SP and its web.config updated accordingly.
<add name="SAMLCookieHttpModule" type="ComponentSpace.SAML2.SAMLCookieHttpModule"/>
SP-initiated SSO was re-tested once again with a 2 minute delay before completing the login at the IdP.
The SAML session cookie is set at the SP. Note the SameSite attribute is now set to None. The Secure flag is also set.
The SAML session cookie is now presented by the browser when control returns to the SP. No SAML session state has been lost.