Issue Description:
===============
An application that uses iframes and multiple distributions (wars) that appears to be a single application.  This works when using single-sign-on with EAP 7 and Java 8 with PicketLink SAML. 

The issue is that there appears to be lack of support for non-FORM authentication in single-sign-on.   The outer application authenticates with SAML fine but the internal iframe'd applications are not authenticated.  Specifically the browser says "Third-party cookies will be blocked.  Learn more in the Issues tab". and setting JSESSIONID cookie says "This attempt to set a cookie via a Set-Cookie header was blocked because it had the "SameSite=Lax" attribute but came from a cross-site response which was not the response for a top-level navigation".  

Having Saml flow in an iframe is a security show stopper as per our requirement.  It means we would need to have session cookie sameSite=none, which is not allowed by security guidelines. At a minimum we should have at least sameSite=lax. 

sameSite=lax won't work, as it's blocked by the browser. 

Requirement:
Saml flow in iframe is not acceptable.

Environment:
============
JBoss EAP Version: 7.4.2
JBoss EAP Version: 8.0