Impact of Access Manager Implementation for Upcoming Chrome privacy & security on web.
With an upcoming release of Chrome browser (build 80, planned to be released on Feb 4, 2020), Chrome is changing the way certain cookies are handled. As a security measure, Chrome will start blocking cookies which are set by third-party sites without explicit SameSite labeling. Given that almost all access management solutions rely on cookies for Single Sign On (SSO) and session management, this change may start to break SSO flows for users with the latest Chrome, if you’re using multi-domain installs or are using federation.
Please refer to the below documentation on the upcoming change :
I think it's important to understand that if you don't have SameSite defined, they will be treated as Samesite = lax.
There are three settings none, lax, strict.
None: sending cookies all the time.
lax: blocking cookies from cross-domain sub requests (frames, images)
strict: block all cross site cookies.
I see this as something that might impact very few situations using NAM. The cross domain iframes will get blocked by NAM in CSRF anyhow, never mind the cookies.
It's been in Firefox for a while now and you can turn it on and test out your environment.
The issue is discussed in details in another thread:
Access Manager has provided a patch to solve this problem. This patch provides option to select the SameStrict to None.
For NAM 4.5.1:
For NAM 4.4.4 :
If some customer are on a different NAM version, please upgrade to 4.5.1 or 4.4.4 and apply the patch. If upgrade is not possible at the moment, please contact support for your NAM version specific patch.