Re: [saml-dev] SameSite cookie support and HTTP-POST binding

[Peter Major <peter.major@forgerock.com>]

One possible use-case would be step up authentication. When an SP sends 
a step up authentication request, it is difficult to verify the existing 
session's authncontext level if the IdP does not receive the session 
cookie along with the SAML request. (Similar issues would arise I 
suppose with isPassive=true to verify if the user is already logged in.)

// We store relaystate values in memory, or in encrypted HTML5 local 
storage items.

cheers,
Peter

2019. 07. 19. 14:24 keltezÃssel, Cantor, Scott Ãrta:
> On 7/19/19, 9:22 AM, "Peter Major" <peter.major@forgerock.com> wrote:
>
> > Are there any best practices (implementation advices) available for
> > keeping HTTP-POST binding working even when the session cookies have
> > SameSite Lax flag? (or Strict flag and HTTP-Redirect binding?)
>
> Don't use cookies for relay state.
>
> -- Scott

--
Because lawyers:
---------------------
NOTICE: This message, including any attachments, may contain 
confidential information. If you are not the intended recipient, please 
advise the sender immediately and destroy all copies of this message and 
any attachments. ForgeRock Ltd may monitor email traffic data and also 
the content of email transmitted over its network for security purposes. 
No employee or agent is authorized to conclude any binding agreement on 
behalf of ForgeRock Ltd by means of e-mail communication.
ForgeRock Ltd is a limited company registered in England and Wales; its 
registered address is 60 Queen Square, Bristol, BS1 4JZ; and its 
registration number is 7227664.
----------------------