Univention Bugzilla – Bug 52473
Single Sign On SameSite cookie issues with UCS 5 Portal app / UMC
Last modified: 2022-04-20 11:14:59 CEST
Scenario: - School authority with main domain schoolauth.de, SSO IdP at ucs-sso.schoolauth.example - School specific installation and portal at portal.alphaschool.de When using the UCS 5 Portal app, SSO is done in an iframe on portal.alphaschool.de, which loads sso.schoolauth.example Our simplesamlphp version [1] does not set and support samesite cookie settings [2], therefore the users sees an error when sso.schoolauth.example is loaded in the iframe. Simplesamlphp supports samesite cookie settings since version 1.17.3 [1] Possible solutions: - Setup another UCS IdP below alphaschool.de, e.g. sso.alphaschool.de, and configure it for the specific portal. - Upgrade simplesamlphp in UCS and use samesite=none settings for the IdP cookies [1] https://simplesamlphp.org/docs/stable/simplesamlphp-changelog [2] https://web.dev/samesite-cookies-explained/
This is also a problem for the UMC. The missing samesite cookie setting breaks the automatic session renewal (if not on the same domain). In this case the samesite setting needs to be set on the UMC session cookie as well. How to reproduce (chrome only, firefox prints warnings): Go to https://$IP/umc, login with saml (https://ucs-sso.$DOMAIN/...) wait 5 minutes -> no auto session renewal. I tested this with UCS4.4 but see no reason that UCS5 behaves different. Mixing http and https between SP and IdP is also broken and if I understand the documentation about "samesite" correctly, mixing http and https will never work again. We might as well remove the capability to login onto the http version of the umc using saml.
FTR: This also occurs for other SAML SPs than the portal. Firefox (95.0) says: Das Cookie "SimpleSAMLAuthToken" wird in Zukunft bald abgelehnt werden, da es für das Attribut "SameSite" entweder "None" oder einen ungültigen Wert angibt, ohne das "secure"-Attribut zu verwenden. Weitere Informationen zum "SameSite"-Attribut finden Sie unter https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite
We will introduce Keycloak in as alternative SAML IDP the upcoming weeks which should be able to fix this issue.