[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [saml-dev] SameSite cookie support and HTTP-POST binding
On 7/19/19, 9:31 AM, "Peter Major" <peter.major@forgerock.com> wrote: > One possible use-case would be step up authentication. When an SP sends > a step up authentication request, it is difficult to verify the existing > session's authncontext level if the IdP does not receive the session > cookie along with the SAML request. (Similar issues would arise I > suppose with isPassive=true to verify if the user is already logged in.) You mean the IdP's cookies and the binding in that direction, not the SP. I hadn't thought about it (I'll do some more testing in that direction), but at the end of the day, the SameSite setting you use is what you *need* it to be. So asking what you should do if you yourself configure a SameSite value that's wrong doesn't make a great deal of sense to me. That said, Java doesn't have an API for SameSite yet either, which is going to be a pain to work around. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]