Bug 52473 – Single Sign On SameSite cookie issues with UCS 5 Portal app / UMC

Bug 52473 - Single Sign On SameSite cookie issues with UCS 5 Portal app / UMC


Summary:	Single Sign On SameSite cookie issues with UCS 5 Portal app / UMC

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-12-09 14:03 CET by Erik Damrose
Modified:	2022-04-20 11:14 CEST (History)
CC List:	4 users (show)

See Also:	54405
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.171
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2020120821000412
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2020-12-09 14:03:15 CET

Scenario:
- School authority with main domain schoolauth.de, SSO IdP at ucs-sso.schoolauth.example
- School specific installation and portal at portal.alphaschool.de

When using the UCS 5 Portal app, SSO is done in an iframe on portal.alphaschool.de, which loads sso.schoolauth.example

Our simplesamlphp version [1] does not set and support samesite cookie settings [2], therefore the users sees an error when sso.schoolauth.example is loaded in the iframe.

Simplesamlphp supports samesite cookie settings since version 1.17.3 [1]

Possible solutions:
- Setup another UCS IdP below alphaschool.de, e.g. sso.alphaschool.de, and configure it for the specific portal.
- Upgrade simplesamlphp in UCS and use samesite=none settings for the IdP cookies

[1] https://simplesamlphp.org/docs/stable/simplesamlphp-changelog
[2] https://web.dev/samesite-cookies-explained/

Comment 1 Jürn Brodersen

2021-07-07 10:01:21 CEST

This is also a problem for the UMC. The missing samesite cookie setting breaks the automatic session renewal (if not on the same domain).

In this case the samesite setting needs to be set on the UMC session cookie as well.

How to reproduce (chrome only, firefox prints warnings):
Go to https://$IP/umc, login with saml (https://ucs-sso.$DOMAIN/...) wait 5 minutes -> no auto session renewal. I tested this with UCS4.4 but see no reason that UCS5 behaves different.

Mixing http and https between SP and IdP is also broken and if I understand the documentation about "samesite" correctly, mixing http and https will never work again. We might as well remove the capability to login onto the http version of the umc using saml.

Comment 2 Michael Grandjean

2021-12-09 15:29:09 CET

FTR: This also occurs for other SAML SPs than the portal. Firefox (95.0) says:

Das Cookie "SimpleSAMLAuthToken" wird in Zukunft bald abgelehnt werden, da es für das Attribut "SameSite" entweder "None" oder einen ungültigen Wert angibt, ohne das "secure"-Attribut zu verwenden. Weitere Informationen zum "SameSite"-Attribut finden Sie unter https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Comment 3 Ingo Steuwer

2022-04-20 11:14:59 CEST

We will introduce Keycloak in as alternative SAML IDP the upcoming weeks which should be able to fix this issue.