saml-dev message

Subject: Re: [saml-dev] SameSite cookie support and HTTP-POST binding

From: "Cantor, Scott" <cantor.2@osu.edu>
To: Peter Major <peter.major@forgerock.com>, "saml-dev@lists.oasis-open.org" <saml-dev@lists.oasis-open.org>
Date: Fri, 19 Jul 2019 13:54:31 +0000

On 7/19/19, 9:43 AM, "Peter Major" <peter.major@forgerock.com> wrote:

> Chrome is kind of forcing everyone to consider this use-case now:
> Either implementations will need to explicitly opt out of SameSite (by 
> setting it to None), or these SAML features will actually need to work 
> with Lax mode OOTB "somehow".

I don't think it's physically possible for those features to work in Lax mode if they also involve the use of cookies. The bindings do not rely on cookies, so they have nothing at all to say about them. It's the higher order behavior of the software that relies on cookies, and there's really not anything that can be done except don't use them or set SameSite appropriately.

-- Scott

References:
- SameSite cookie support and HTTP-POST binding
  - From: Peter Major <peter.major@forgerock.com>
- Re: [saml-dev] SameSite cookie support and HTTP-POST binding
  - From: "Cantor, Scott" <cantor.2@osu.edu>
- Re: [saml-dev] SameSite cookie support and HTTP-POST binding
  - From: Peter Major <peter.major@forgerock.com>
- Re: [saml-dev] SameSite cookie support and HTTP-POST binding
  - From: "Cantor, Scott" <cantor.2@osu.edu>
- Re: [saml-dev] SameSite cookie support and HTTP-POST binding
  - From: Peter Major <peter.major@forgerock.com>