This Is What Chrome’s New Samesite Cookies Mean For Your Identity Provider

In February 2020, authentication for IdPs that didn't set SameSite=None on their session cookies stopped working

Come February 2020, Single Sign-On (SSO) with some Identity Providers (IdPs) will break for Chrome users. Google will enable SameSite flag cookie enforcement to its Chrome browser currently planned for version 80, due in early February 2020 and for beta users earlier.

This effectively breaks reauthorization via POST binding after the service provider (your SSO-enabled apps) session ends for IdPs that currently don’t set SameSite=None on their session cookies.

This is a move in an ongoing initiative of making the web safe by default, but it has the negative side effect of breaking certain integrations that are not prepared and rely on this functionality.

Note that this article only applies to the SAML SSO with POST binding. OIDC with session management is affected as well. SAML Redirect binding is not affected, other protocols should not be affected as well.

What will happen?

On the morning of February 4th 2020, when Chrome 80 is released, your SSO experience could look like this:

You visit Jira or any other SSO-enabled application for the first time with the newly updated browser.
Then, as usual, Jira would try to log your browser in by redirecting it to your identity provider.
But instead of this just going through unnoticed, you would be asked for your credentials.
You would enter them, a little bewildered, since you barely ever have to do that. But it would work.
Then you visit Confluence, and you would have to enter your credentials again. And on every other SSO-enabled application.
And then, when your sessions expire after a couple of hours, you would be asked again. For every application.

How did this happen?

Because the new default behavior in Chrome 80 is to assume SameSite=Lax for every existing cookie, the IdP’s session cookies are not sent during cross-origin POST requests, which is an essential step in how SAML POST binding works.

This means that when the service provider (our plugin for example) has the user’s browser send a POST request to the IdP, the session cookie that the user has on the IdP isn’t sent with this request. This causes the IdP to think think that the user is not logged in and prompts them for their credentials, even if the user has already logged in on that day.

My expectation is that this will affect a lot of users, especially if they use on-premise IdPs which are not updated as often as they should.

How to solve the problem?

We did some research for a solution. The best one is to Update your Identity Provider to a version that automatically sets the SameSite=None flag. Here is some information we have gathered on SameSite support:

IdP Vendor Support of SameSite=None cookie option (as of 2019-12-20)

We are aware that updating your IdP may not really be an option. We have done some research and found some possible mitigation techniques:

Option 1: Set flag at reverse proxy / load balancer

If an update is not yet available for your IdP and if you have a reverse proxy or load balancer in front of your IdP, you might be able to configure it to set the SameSite flag. The exact technique will vary based on the software you’re using.

When you implement this option, please note that older Safari versions on macOS and iOS devices interpret this setting wrongly and need to be exempt from this flag: https://bugs.webkit.org/show_bug.cgi?id=198181#c24

Option 2: Use Redirect binding in SAML

If your Identity Provider supports Redirect binding as well, you can use another mitigation technique:

Changing the binding type to REDIRECT fixes this issue, since the new default behavior doesn’t impact the 302 redirects used in REDIRECT binding. Note that for some IdPs, changing the “Protocol Binding” setting to “None” or “Post” was also necessary.

To change the binding type in our SAML SSO app for Atlassian Server and Data Center products:

Navigate to the SAML SSO Configuration page
Click on Identity Providers tab in the middle panel
Scroll down to the Binding settings
Change the Login Binding to REDIRECT
Save the configuration

Option 3: Enterprise controls in Chrome

See https://www.chromium.org/updates/same-site for information on how to create an exception for your site if you’re using enterprise controls in Chrome.

Cookie	Duration	Description
_ga	1years 19days 23hours 59minutes	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named `_dc_gtm_<property-id>`.
_gat_UA-44969175-9	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	23 hours 59 minutes	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
CONSENT	16 years 3 months 13 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
b3e783bb62	session	This cookie is set by the provider Zoho. This cookie is used for collecting information on user interaction with the web-campaign content. This cookie helps the website owners to promote products and events on the CRM-campaign-platform.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_calendly_session	21 days	Store user preferences
_zcsr_tmp	session	Used for website security
1e5a17c8ab	session	No description available.
3eb9b21c5c	session	No description available.
4662279173	session	No description available.
AnalyticsSyncHistory	1 month	Used to store information about the time a sync with the lms_analytics cookie took place for users in the Designated Countries
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
d4bcc0a499	session	No description available.
li_gc	2 years	Used to store consent of guests regarding the use of cookies for non-essential purposes
m	2 years	No description available.
zft-sdc	12 hours	This cookie stores metadata ( entrances, source etc) of a session which is used by full tracking. (https://www.zoho.com/privacy/cookie-policy.html)
zps-tgr-dts	1 year	This cookie stores the session's metadata on your website.
zsc	30 minutes	Zoho Service Communication Key.

This Is What Chrome’s New Samesite Cookies Mean For Your Identity Provider

This Is What Chrome’s New Samesite Cookies Mean For Your Identity Provider

Table of Contents

What will happen?

How did this happen?

How to solve the problem?

Option 1: Set flag at reverse proxy / load balancer

Option 2: Use Redirect binding in SAML

Option 3: Enterprise controls in Chrome

Subscribe to our newsletter:

Isaiah Pegues

Tags:

Related articles:

User management apps

productivity apps

Integration Apps

resources

company

Don’t miss any news!