SameSite Cookie and SAML 2.0
With Chrome's building a more private web initiative, Google has announced that future versions of Chrome will begin enforcing secure-by-default handling of third-party cookies. This means that any cookie without a SameSite policy assigned to it will automatically be upgraded to SameSite=Lax and cross-origin requests will only have cookies attached to them when they use the GET verb.
This change was initially introduced with the stable release of Chrome 80, but was later rolled back. Soon it will be reintroduced with other browsers following suit.
This new policy will only allow cookies set with the SameSite=None and Secure cookie flags to circumvent this new feature, provided they are being accessed from secure connections (HTTPS).
Correlation Cookie
Our SAML SP component makes use of a correlation cookie during the SAML authentication flow and, if using the HTTP POST binding, is affected by these SameSite cookie changes.
This correlation cookie remembers security data such as the request ID, relay state, and the ASP.NET authentication properties.
By default, the correlation cookie has its SameSite flag set to None and a SecurePolicy of CookieSecurePolicy.SameAsRequest. No changes will be required for most users once browsers roll out the SameSite cookie changes.
However, if during remote authentication, you are experiencing issues with the error "Sign in request expired", it may be that the correlation cookie is missing from the request due to the browser's SameSite cookie policy. To resolve this, we recommend you check that you have not modified the SameSiteMode of the cookie and that you are running under HTTPS.
To debug, we recommend that you check that the correlation cookie is being set correctly in the browser during the redirect to the IdP's SSO endpoint and that the correlation cookie is present in the redirect to the SP's ACS endpoint.
Safari
Older versions of Safari do not support SameSite=None. When Safari meets an unexpected SameSite policy, it defaults to Strict. This will prevent the cookie from being sent across domains. To resolve this issue, you will need to implement browser sniffing and set the Same Site Policy to unspecified, as recommended by Microsoft. This approach stops Safari from setting an incorrect policy, recreating the default behavior of other browsers.