The SameSite cookie attribute should be set by UMC when sending cookies. Especially for the session cookie. We should either make it configurable to set this or hardcode it to a useful default. Respected must be that we are doing request to different origins (ucs-sso.$host) but this is the other way round. I think we can make a strict default here and might have to make a unstrict default in simplesamlphp (see Bug #54483).
Successful build Package: univention-management-console Version: 12.0.12-21A~5.0.0.202204041052 Branch: ucs_5.0-0 Scope: errata5.0-1 It is now possible to set the SameSite cookie attribute for UMC cookies via UCR variable umc/http/cookie/samesite
OK: setting of SameSite=None|Lax|Strict works. Note: SameSite=None can only be set if "Secure" is also set - otherwise browsers drop the entire cookie: `ucr set umc/http/enforce-secure-cookie=true umc/http/cookie/samesite=None` OK: UCR variable description OK: YAML
<https://errata.software-univention.de/#/?erratum=5.0x283>
Chrome 80 treats cookies as SameSite=Lax by default if no SameSite attribute is specified, see https://www.chromestatus.com/feature/5088147346030592.