Impact of Google Chrome 80 and changes in the default behavior of the SameSite cookie setting on SAML

Issue

Updated (May 31, 2021): The behavior is enabled by default since Chrome 84.

Updated (April 3, 2020): Chrome is Temporarily rolling back SameSite Cookie Changes

Updated (June 12, 2020): Added information about the fixed versions of the SAML 2.0 connector.

With the release of Chrome 80 in February, the default behavior of how Chrome is treating cookies without an explicit SameSite attribute is changing: these cookies will be handled as SameSite=Lax which means that such cookies will only be sent from the browser to the server in first-party or same-site contexts and won't be sent with cross-site requests.

The current roll-out plan according to https://www.chromium.org/updates/same-site is the following:

February 4, 2020: Chrome 80 Stable released. The enablement of the SameSite-by-default and SameSite=None-requires-Secure enforcement will not be included in this initial Chrome 80 stable rollout. Please see the next item for more detailed information on the when SameSite enforcement will be enabled for Chrome 80 stable.
February, 2020: Enforcement rollout for Chrome 80 Stable: The SameSite-by-default and SameSite=None-requires-Secure behaviors will begin rolling out to Chrome 80 Stable for an initial limited population starting the week of February 17, 2020, excluding the US President’s Day holiday on Monday. We will be closely monitoring and evaluating ecosystem impact from this initial limited phase through gradually increasing rollouts.

End-users can disable these settings via chrome://flags/#same-site-by-default-cookies and chrome://flags/#cookies-without-same-site-must-be-secure (available as of Chrome 76).

To learn more about the SameSite cookie settings and the changes in the default behavior please refer to the Additional Information section below.

Impact on Liferay's SAML Integration

Note: Liferay instances configured as Service Providers (SP) and connecting to a non-Liferay Identity Provider (IdP) should consult with their provider to clarify if they are affected.

For every browser session, the first SP initiated SSO request will continue to work, but require users to log into the Liferay SAML IdP - even if they have an already authenticated session on the IdP. This behavior is identical to when you configure the SAML plugin to Force Re-Authentication. The second SP initiated SSO request will require users to relaunch the browser beforehand in order to succeed.

SAML Single Logout does not work correctly with a Liferay SAML IdP. The flow is terminated on the IdP with a prompt stating you are signed in. From this point it can become difficult to log out from the SP without deleting all related cookie on the SP.

Redirection back to the page you were on when you made an SSO request on the SP works correctly. This is because the redirection URL is propagated through a "state" URL parameter and not kept in the Liferay SP's guest session.

Affected Environments

Your environment may be affected if it meets all of the following criteria:

1. Liferay Portal 6.x EE and Liferay DXP 7.x deployments configured as SAML IdP using Liferay Connector to SAML 2.0, versions
   • 5.0.0 for DXP 7.2
   • 4.1.0 and below for DXP 7.1
   • 3.1.1 and below for DXP 7.0
   • 2.1.3 and below for Liferay Portal 6.2 EE
   • 1.0.4 and below for Liferay Portal 6.1 EE GA2 and GA3
2. Web sites connecting to a Liferay SAML IdP as Service Providers
3. The Service Providers and the Identity Provider are running on different domains, for example:
   • https://www.mydomain.com -> https://www.idp.otherdomain.com : Affected (cross-site)
   • https://www.mydomain.com -> https://idp.mydomain.com : Not Affected (same-site)
4. End-users using Google Chrome 80 or higher

 Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None