How SiteMinder Avoids Impact of the Default Behavior of Google Chrome 80 for SameSite Cookie Attribute

SameSite Cookie Attribute in Google Chrome 80
When a request is sent from a web browser to website, the web browser verifies whether it has stored any cookies for the website. If the browser finds a cookie, it validates the cookie properties and flags to understand whether to send the cookie in the transaction to the website.
While this behavior enables a better user experience, it creates a security risk that can lead to CSRF vulnerabilities. To help mitigate this risk, Google Chrome is changing how it enforces its default behavior based on the SameSite cookie attribute. This change is effective from Chrome 80.
Google Chrome will start enforcing the SameSite cookie attribute from the upcoming release of Chrome 80 to govern its default cookie management behavior. This cookie attribute determines whether browsers will send stored cookies to cross-site websites. For detailed information about the upcoming changes in Google Chrome 80, see Google documentation.
The SameSite cookie attribute is in the following format:
Set-Cookie: CookieName=CookieValue; SameSite=Strict|Lax|None;
The possible values are:
Strict
Specifies that the cookie will be sent only in requests that are initiated from the same site websites but not in requests that are initiated by cross-site websites.
Lax
Specifies that the cookie is sent in requests that are initiated from the same site websites, and in idempotent requests such as GET to cross-site websites. The cookie is not sent in non-idempotent requests such as POST to cross-site websites. This is the default behavior of Chrome 80.
None
Specifies that the existing behavior of sending stored cookies in requests initiated from same-site or cross-site websites continues.
This document covers information about how SiteMinder can be configured to avoid the impact of Chrome 80 in regard to the SameSite cookie attribute.
How Google Chrome 80 Default Behavior Affects SiteMinder
A core functionality of SiteMinder is to manage cross-website access. As the SameSite cookie attribute is designed to improve the security of cross-site cookie usage, the new default behavior of Google Chrome 80 will affect your SiteMinder environment if all the following conditions are met in your environment:
  • Transactions are initiated from cross-sites. For example, a transaction is initiated by accessing a link in an application that is deployed on another domain
  • Accessing a link initiates a request with non-idempotent method like POST
The following sections in this document explain in detail how SameSite cookie attribute affects SiteMinder.
Effect of Google Chrome 80 Default Behavior on Non-Federation Functionality of SiteMinder in Cross-Sites
This section describes whether Google Chrome 80 default behavior will affect the non-federation functionality of SiteMinder, that is, use cases that
do not involve
SAML, WS-FED, or OpenID Connect.
List of Use Cases that Will Fail
The following use cases will fail functionally with the default behavior of Chrome 80:
  • Cookie provider flow for any POST request to an application
  • Custom cookies that are generated using responses when a POST request is initiated from a cross-site
  • Auditing of Anonymous authentication scheme may result in inconsistent results
  • Basic authentication scheme when a non-idempotent request like a POST request is initiated from a cross-site
List of Use Cases that Will Succeed with a Change in User Experience
The following use cases will succeed with a change in user experience (for example, multiple user re-authentications may be required) with the default behavior of Chrome 80:
  • SSO between applications when a SMSESSION cookie exists and a POST request is initiated from a cross-site
  • SSO between applications when a session scheme mini cookie exists and a POST request is initiated from a cross-site
Effect of Google Chrome 80 Default Behavior on Federation Functionality of SiteMinder
This section describes whether Google Chrome 80 default behavior will affect the federation functionality of SiteMinder that
involves
SAML, WS-FED, or OpenID Connect.
List of Use Cases that Will Fail
The following federation use cases will fail functionally with the default behavior of Chrome 80:
  • SP-initiated federation SSO transactions with the RelayState query parameter in SAML 2.0
  • SAML 2.0 SLO with HTTP-POST binding
  • SiteMinder acts as IdP in SAML 2.0 and Authentication Mode is set to Credential Selector (CHS)
  • ForceAuthn in SAML 2.0 when SiteMinder acts as IdP and Authentication Requesting Binding is HTTP-POST
  • Logout at IdP when SiteMinder acts as IdP and SP in WS-FED SLO
  • AJAX requests for Single Page Applications in OpenID Connect
  • Re-authentication at Authorization Endpoint (prompt=login) when SiteMinder acts as OpenID Connect Provider
Note that there are no federation use cases that will succeed with a change in user experience.