SameSite cookie patch

Recent browser changes breaks SAML SSO scenario due to lack of or incorrect value in the PhxAuthN cookie.

This patch adds "SameSite=None" value to the cookie. Note that in order for this to work properly communications must be done using a TLS protected channel between client browser and server.

SameSite brefing

The SameSite parameter for cookies is not a new thing.
The parameter has three possible values. Lax, Strict, None
What's new is how browsers use the parameter.
If the parameter is missing, it's now defaulted as Lax instead of None.
And that breaks SSO in a federated environment.

Another issue is that setting None to the SameSite parameter is not enough.
The cookie parameter Secure must also be set as True.
Otherwise the browser will think that the cookie is malicious.

The fix below sets the SameSite parameter to the cookie needed for SSO to None.
Please read the instruction included about how to set the Secure parameter into True.

It's possible to change the browsers behavior to find out if a problem is associated to SameSite.
In Chrome browser, browse to chrome://flags, search for samesite and set the parameters #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure to disabled.
You will then bypass the new security settings.

Download the zip and follow the instructions in the readme included in the zip

File name SHA 256 checksum
202002140.zip
ef39cc1f9a5d002798d095fbde338fa0f50487e674791053a0c050fb3b516540

How to verify applied patch

Browse to a page on your SAML IDP.
Open your browser Developer Tools.
Find the cookies section for your IDP hostname.
Verify that the cookie for PhxAuthN has parameter SameSite=None and Secure=true