Regarding the note I received about Chrome changes in handling cookies (https://www.componentspace.com/Forums/10511/SAML-Cookie-SameSite-Mode-None ), I did not find any cookie set from ComponentSpace.SAML2. We are using v.2.8.8.0. Tested login flow with Chrome flags #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure and all works fine. I am assuming that we are not affected if we are using only SAMLServiceProvider (not IdP) implementation?
Thank you
Version 2.8.8 uses the ASP.NET session cookie (ie ASP.NET_SessionId) rather than the custom SAML_SessionId cookie.
Some SAML flows will work without any changes and this looks like it’s the case for you.
When acting as the SP, for IdP-initiated SSO no SAML session state is required. For SP-initiated SSO, the flow will still work but one of the minor security checks we make cannot be made. SAML logout does require SAML session state to work correctly.