OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] SameSite cookie support and HTTP-POST binding

On 7/19/19, 9:31 AM, "Peter Major" <peter.major@forgerock.com> wrote:

> One possible use-case would be step up authentication. When an SP sends 
> a step up authentication request, it is difficult to verify the existing 
> session's authncontext level if the IdP does not receive the session 
> cookie along with the SAML request. (Similar issues would arise I 
> suppose with isPassive=true to verify if the user is already logged in.)

You mean the IdP's cookies and the binding in that direction, not the SP. I hadn't thought about it (I'll do some more testing in that direction), but at the end of the day, the SameSite setting you use is what you *need* it to be. So asking what you should do if you yourself configure a SameSite value that's wrong doesn't make a great deal of sense to me.

That said, Java doesn't have an API for SameSite yet either, which is going to be a pain to work around.

-- Scott

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]