That should be all you need to do. Here's an example web.config. I changed the cookie name from its default of ASP.NET_SessionId to make it clearer but this isn't necessary. <system.web> <sessionState cookieName="My.ASP.NET_SessionId" cookieSameSite="None" /> <httpCookies requireSSL="true"/> </system.web>
Using the Chrome browser developer tools, I see the following. The session cookie has the Secure and SameSite=None attributes. The raw header is: set-cookie: My.ASP.NET_SessionId=jl0xj4ihhicmxjpwk2sx4tvm; path=/; secure; HttpOnly; SameSite=None
Please double check that the ASP.NET_SessionId cookie is that for your application, just in case both the IdP and SP applications are running under ASP.NET.
Regards ComponentSpace Development
|