OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [saml-dev] SameSite cookie support and HTTP-POST binding

Chrome is kind of forcing everyone to consider this use-case now:
https://www.chromestatus.com/feature/5088147346030592
Either implementations will need to explicitly opt out of SameSite (by setting it to None), or these SAML features will actually need to work with Lax mode OOTB "somehow". 

cheers,
Peter

2019. 07. 19. 14:37 keltezÃssel, Cantor, Scott Ãrta:

On 7/19/19, 9:31 AM, "Peter Major" <peter.major@forgerock.com> wrote:


One possible use-case would be step up authentication. When an SP sends
a step up authentication request, it is difficult to verify the existing
session's authncontext level if the IdP does not receive the session
cookie along with the SAML request. (Similar issues would arise I
suppose with isPassive=true to verify if the user is already logged in.)


You mean the IdP's cookies and the binding in that direction, not the SP. I hadn't thought about it (I'll do some more testing in that direction), but at the end of the day, the SameSite setting you use is what you *need* it to be. So asking what you should do if you yourself configure a SameSite value that's wrong doesn't make a great deal of sense to me.

That said, Java doesn't have an API for SameSite yet either, which is going to be a pain to work around.

-- Scott




--
Because lawyers:
---------------------
NOTICE: This message, including any attachments, may contain confidential information. If you are not the intended recipient, please advise the sender immediately and destroy all copies of this message and any attachments. ForgeRock Ltd may monitor email traffic data and also the content of email transmitted over its network for security purposes. No employee or agent is authorized to conclude any binding agreement on behalf of ForgeRock Ltd by means of e-mail communication. ForgeRock Ltd is a limited company registered in England and Wales; its registered address is 60 Queen Square, Bristol, BS1 4JZ; and its registration number is 7227664. 
----------------------

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]