Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-12884

SAML authentication does not work when the SameSite attribute of AUTH_SESSION_ID cookie is Lax.

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 7.0.1
    • Fix Version/s: None
    • Component/s: Authentication
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      1) Configure SAML authentication
      2) set all cookies to SameSite=Lax attribute

      Show
      1) Configure SAML authentication 2) set all cookies to SameSite=Lax attribute
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      SAML authentication does not work when the SameSite attribute of AUTH_SESSION_ID cookie is Lax.

      We use Keycloak 7.0.1.

      The upcoming change in the browsers functionality sets the cookie attribute SameSite to Lax by the default:

      Chrome 80, scheduled for release in February 2020, introduces new cookie values and imposes cookie policies by default. Three values can be passed into the updated SameSite attribute: Strict, Lax, or None. Cookies that don't specify the SameSite attribute will default to SameSite=Lax.

      For details:
      https://blog.chromium.org/2019/10/developers-get-ready-for-new.html?m=1
      https://docs.microsoft.com/en-us/microsoftteams/platform/resources/samesite-cookie-update

      We have tested Keycloak 7.0.1 while we have set all cookies to SameSite=Lax attribute to be prepared to upcoming changes.

      Unfortunately, the SAML authentication does not work when the SameSite attribute of AUTH_SESSION_ID cookie is Lax.

      Why it happens?

      After the successfully authentication a request with SAML response returns from a SAML IDP by the HTTP 302 redirect and tries to access the Keycloak SAML endpoint (see RequestURL.png and SamRespose.png).

      Since the request originated from other URL then the Keycloak SAML endpoint, the browser consider the AUTH_SESSION_ID cookie as “Third-party cookie” (and since it is Lax) and does not sent it to the Keycloak SAML endpoint (see Lax Cookie.png).

      The request comes to the Keycloak SAML endpoint without a AUTH_SESSION_ID cookie and the authentication fails.

      According to our understanding of the SAML protocol a AUTH_SESSION_ID cookie should not be used during SAML authentication since it is not part of the protocol.

      (BTW, may be the same problem will be as part of the authentication against external OIDC provider).

      We would like to see if possible the workaround to disable the AUTH_SESSION_ID cookie.
      The AUTH_SESSION_ID cookie should be used in the cluster environment (https://www.keycloak.org/docs/7.0/server_installation/#sticky-sessions).

      How may we disable the cookie usage in the standalone environment?

      (We have found only the way how to disable adding the route https://www.keycloak.org/docs/7.0/server_installation/#disable-adding-the-route )

        Gliffy Diagrams

          Attachments

          1. Lax Cookie.png
            Lax Cookie.png
            31 kB
          2. RequestURL.png
            RequestURL.png
            11 kB
          3. SamRespose.png
            SamRespose.png
            51 kB

            Issue Links

              Activity

                People

                • Assignee:
                  mitko Michal Hajas
                  Reporter:
                  michaelf Michael Furman
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: