Just a warning re: SameSite

Cantor, Scott cantor.2 at osu.edu
Fri Dec 20 15:40:26 EST 2019

I'm starting to get questions about this topic more frequently, and the vendors are starting to publish stuff. There are definitely apps out there that are broken right now and time's pretty short for getting fixes.

And I mostly wanted to note it because Okta just published something [1] and in usual vendor fashion they're wrong  about Shibboleth in it. And I'm sure that will become the "coventional wisdom", so from the horse's mouth, it's not true.

Even if it was fully our role to decide what your cookies should look like (it's not, we don't treat our deployers like helpless infants with no agency), most deployments in most scenarios don't behave visibly differently at all even with no changes and SSO is unimpacted except for some additional Java session churn/overhead. There is some impact on SSO when SPs use POST and a private browser window is used, but that's not really a high priority problem.

The real problems are more on the app/SP side and those are definitely real.

For myself, the Apple bug around this leads me to believe making no IdP change is a better course than creating more problems by "fixing" it for now, but the only real answer is "test everything" at this point, and if you really want to do it, we included a SameSite filter class in the last 3.x patch in case people wanted/needed a convenient workaround.

-- Scott 

[1] https://support.okta.com/help/s/article/Testing-results-for-Chrome80-SameSite-by-default-cookie-changes

More information about the users mailing list