Note: Google has delayed the rollout of the SameSite attribute enforcement in Chrome 80 until Feb. 17.
This notice applies to SecureAuth IdP versions:
The patch to address the SameSite issue is available for customers whose current version is no longer covered under the standard SecureAuth Support agreement. Fixes addressing unsupported versions of SecureAuth IdP are being made available as best effort fixes, and have not been subjected to the normal quality assurance processes, and as such are not supported or guaranteed. Testing and applying the patch is the sole responsibility of the customer, and no warranty is implied or inferred by receiving this patch from SecureAuth.
The enforcement of the samesite cookie impacts a small segment of workflows used by most IdP customers. Cross site posts are primarily impacted. An example of an impacted workflow is:
- User logs onto a portal and gets SSO cookie
- User browses directly to the SP and tries to logon
- The SP does an SP-initiated logon flow back to the IdP
- The browser does not present the SSO cookie because of samesite enforcement
- Logon action fails or user is prompted to logon
Note that other workflows, or iFrame use cases may also be impacted.
SecureAuth recommends you test your applications using Chrome 80 (or Chrome 80 beta if prior to Feb. 4, 2020) and Firefox with SameSite enforcement enabled. After testing, you may find that no applications or use cases are impacted and applying the patch is unnecessary. You also may find that one or two applications are impacted, and you may choose to apply this patch to the impacted realms, rather than globally.
Getting the patch:
Contact SecureAuth support to obtain the Samesite patch for your IdP version.
- Take the normal precautionary measures you typically perform before updating any enterprise system, such as taking a snapshot of the VM prior to making any changes
- Take the server out of production
- Review the following article to ensure that the prerequisite Microsoft .Net update and Microsoft patches have been installed: https://support.secureauth.com/hc/en-us/articles/360038330652-SameSite-cookie-support-and-Chrome-80
- Back up global.asax and global.asax.vb from the root of all impacted realms. For example, d:\secureauth\secureauth1
- Copy the patched global.asax and global.asax.vb to the root of all impacted realms. For example, d:\secureauth\secureauth1, replacing the existing files
- No reboot or IIS reset is needed
- Test the impacted realms
- Return the server to production
Contact SecureAuth support if you identify any issues with this patch. The product management team will determine if the issues will be addressed on a case by case basis.