SAML authentication does not work when the SameSite attribute of AUTH_SESSION_ID cookie is Lax.
We use Keycloak 7.0.1.
The upcoming change in the browsers functionality sets the cookie attribute SameSite to Lax by the default:
Chrome 80, scheduled for release in February 2020, introduces new cookie values and imposes cookie policies by default. Three values can be passed into the updated SameSite attribute: Strict, Lax, or None. Cookies that don't specify the SameSite attribute will default to SameSite=Lax.
We have tested Keycloak 7.0.1 while we have set all cookies to SameSite=Lax attribute to be prepared to upcoming changes.
Unfortunately, the SAML authentication does not work when the SameSite attribute of AUTH_SESSION_ID cookie is Lax.
Why it happens?
After the successfully authentication a request with SAML response returns from a SAML IDP by the HTTP 302 redirect and tries to access the Keycloak SAML endpoint (see RequestURL.png and SamRespose.png).
Since the request originated from other URL then the Keycloak SAML endpoint, the browser consider the AUTH_SESSION_ID cookie as “Third-party cookie” (and since it is Lax) and does not sent it to the Keycloak SAML endpoint (see Lax Cookie.png).
The request comes to the Keycloak SAML endpoint without a AUTH_SESSION_ID cookie and the authentication fails.
According to our understanding of the SAML protocol a AUTH_SESSION_ID cookie should not be used during SAML authentication since it is not part of the protocol.
(BTW, may be the same problem will be as part of the authentication against external OIDC provider).
We would like to see if possible the workaround to disable the AUTH_SESSION_ID cookie.
The AUTH_SESSION_ID cookie should be used in the cluster environment (https://www.keycloak.org/docs/7.0/server_installation/#sticky-sessions).
How may we disable the cookie usage in the standalone environment?
(We have found only the way how to disable adding the route https://www.keycloak.org/docs/7.0/server_installation/#disable-adding-the-route )