SameSite cookie patch
Recent browser changes breaks SAML SSO scenario due to lack of or incorrect value in the PhxAuthN cookie.
This patch adds "SameSite=None" value to the cookie. Note that in order for this to work properly communications must be done using a TLS protected channel between client browser and server.
The SameSite parameter for cookies is not a new thing.
The parameter has three possible values. Lax, Strict, None
What's new is how browsers use the parameter.
If the parameter is missing, it's now defaulted as Lax instead of None.
And that breaks SSO in a federated environment.
Another issue is that setting None to the SameSite parameter is not enough.
The cookie parameter Secure must also be set as True.
Otherwise the browser will think that the cookie is malicious.
The fix below sets the SameSite parameter to the cookie needed for SSO to None.
Please read the instruction included about how to set the Secure parameter into True.
It's possible to change the browsers behavior to find out if a problem is associated to SameSite.
In Chrome browser, browse to chrome://flags, search for samesite and set the parameters #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure to disabled.
You will then bypass the new security settings.
How to apply.
Download the zip and follow the instructions in the readme included in the zip
|File name||SHA 256 checksum|
How to verify applied patch
Browse to a page on your SAML IDP.
Open your browser Developer Tools.
Find the cookies section for your IDP hostname.
Verify that the cookie for PhxAuthN has parameter SameSite=None and Secure=true