Menu
Chrome 80 will introduce a new attribute which is SameSite.
For more information, this article explains SameSite pretty good.
From Azure documentation:
The cloud service (the service provider) uses an HTTP Redirect binding to pass an AuthnRequest (authentication request) element to Azure AD (the identity provider). Azure AD then uses an HTTP post binding to post a Response element to the cloud service
My question is why SameSite breaks SAML flow? š"saml" samesite problem
When IdP POST response back to SP, if SameSite=Lax, user-agent will not send cookies that has SP domain. Even if it does not send cookies I don't see there is any problem with SP.
230
When IdP POST response back to SP, if SameSite=Lax, user-agent will not send cookies that has SP domain. Even if it does not send cookies I don't see there is any problem with SP.
On IdP-init, there likely wouldn't be any issues whatsoever, because there's no state outside of the SAML Response that is sent.
SP-init flows, however, would very likely be broken. The reason is that most SP products track the browser session via a cookie that it sets before sending the user to the IdP. The browser is redirected to the IdP, authenticated, and sent back to the SP with the response on a POST. If the cookie wasn't set with SameSite=None;Secure (don't forget - cookies that need SameSite=None also have to be set with Secure), then the SP's cookie won't be passed back to the SP with the POST, making it so the SP doesn't have all the pieces it needs to configure the session securely.
One way to look at it would be like the user needs two sets of keys to establish a secure session at the SP: The first is that it wants its session key from the cookie, and the other is that it wants the key from the IdP.
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
