Cadet 3rd Class
Cadet 3rd Class
490 views

Impact of Access Manager Implementation for Upcoming Chrome privacy & security on web.

With an upcoming release of Chrome browser (build 80, planned to be released on Feb 4, 2020), Chrome is changing the way certain cookies are handled. As a security measure, Chrome will start blocking cookies which are set by third-party sites without explicit SameSite labeling. Given that almost all access management solutions rely on cookies for Single Sign On (SSO) and session management, this change may start to break SSO flows for users with the latest Chrome, if you’re using multi-domain installs or are using federation.

 

Please refer to the below documentation on the upcoming change :

https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html

https://www.chromium.org/updates/same-site

0 Likes
3 Replies
Lieutenant Commander
Lieutenant Commander

Do we have a solution for the same ? Can we overrride the samesite settings coming from browser using the httpd.conf file and custom code. Tried but its looping around with getting "Too many redirects "
0 Likes
Commander
Commander

I think it's important to understand that if you don't have SameSite defined, they will be treated as Samesite = lax. 

There are three settings none, lax, strict. 

None: sending cookies all the time.

lax: blocking cookies from cross-domain sub requests (frames, images)

strict: block all cross site cookies. 

I see this as something that might impact very few situations using NAM. The cross domain iframes will get blocked by NAM in CSRF anyhow, never mind the cookies. 

It's been in Firefox for a while now and you can turn it on and test out your environment. 

0 Likes
Micro Focus Expert
Micro Focus Expert

The issue is discussed in details in another thread:

https://community.microfocus.com/t5/Access-Manager-User-Discussions/Impact-of-SameSite-Cookie-Chrome-80-on-Access-Manager/m-p/2761240#M6875

 

Access Manager has provided a patch to solve this problem. This patch provides option to select the SameStrict to None.

For NAM 4.5.1:

https://www.netiq.com/documentation/access-manager-45/accessmanager451-hf1-release-notes/data/accessmanager451-hf1-release-notes.html

For NAM 4.4.4 :

https://www.netiq.com/documentation/access-manager-44/accessmanager444-hf2-release-notes/data/accessmanager444-hf2-release-notes.html

If some customer are on a different NAM version, please upgrade to 4.5.1 or 4.4.4 and apply the patch. If upgrade is not possible at the moment, please contact support for your NAM version specific patch.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.