Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-14103

SAML POST binding broken in Java adapters by new SameSite policies

    Details

    • Sprint:
      Keycloak Sprint 40, Keycloak Sprint 41
    • Steps to Reproduce:
      Hide

      Firefox
      Set the following in about:config:

      • network.cookie.sameSite.laxByDefault=true
      • network.cookie.sameSite.laxPlusPOST.timeout=0
      • network.cookie.sameSite.noneRequiresSecure=true

      Chrome
      In chrome://flags enable:

      • #same-site-by-default-cookies
      • #cookies-without-same-site-must-be-secure

      Start Chrome with --enable-features=SameSiteDefaultChecksMethodRigorously.

      Now try to login to an app that uses SAML POST binding. Make sure the app and Keycloak are running on completely different domains (not just subdomains) to be treated as cross-site.

      Show
      Firefox Set the following in about:config : network.cookie.sameSite.laxByDefault=true network.cookie.sameSite.laxPlusPOST.timeout=0 network.cookie.sameSite.noneRequiresSecure=true Chrome In chrome://flags enable: #same-site-by-default-cookies #cookies-without-same-site-must-be-secure Start Chrome with --enable-features=SameSiteDefaultChecksMethodRigorously . Now try to login to an app that uses SAML POST binding. Make sure the app and Keycloak are running on completely different domains (not just subdomains) to be treated as cross-site.
    • Docs QE Status:
      NEW
    • QE Status:
      NEW

      Description

      What
      Java adapters use sessions provided by container, see SamlSessionsStore implementations. When a browser uses SameSite=Lax by default policy, the session cookie is lost when performing final "redirect" using POST request from Keycloak to SAML adapter. A new session is then created and auth flow in adapter doesn't continue properly.

      This affects login which requires the user to invoke login process twice. Logout flow doesn't work at all – SSO session is destroyed but the app (secured by SAML adapter) is still logged in.

      How

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mitko Michal Hajas
                  Reporter:
                  vmuzikar Václav Muzikář
                • Votes:
                  1 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: