I’m evaluating the .NET Core 3.1 sample code for use as an IdP to initially handle a SP initiated SSO and I’ve come across this bit in Startup.cs:
services.Configure(options =>
{
// SameSiteMode.None is required to support SAML SSO.
options.MinimumSameSitePolicy = SameSiteMode.None;
// Some older browsers don’t support SameSiteMode.None.
options.OnAppendCookie = cookieContext => SameSite.CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
options.OnDeleteCookie = cookieContext => SameSite.CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
});
I’m new to core but my understanding is these options would then be accessed by the Saml2 library when creating cookies; it wouldn’t automatically apply to any other cookies created by my app?
In the knowledge base for ASP.NET, CS support said on which flows use cookies to maintain SAML state:
[quote]IdP-initiated SSO doesn’t require SAML state. However, SP-initiated SSO and SLO do.[/quote]
However, I can’t think of a reason SameSiteMode.None would be required on the IdP for SP-initiated SSO. Is it? On the initial request, all of the information is the SAML request and RelayState, there would be nothing in session yet. At that point, the library needs to store the SAML request until the user is authenticated, so I can see a cookie being used there to maintain that, but that is all local. Once authenticated, everything is sent back to the SP in the SAML request and RelayState - I haven’t seen anything in the SAML spec about cookies. Is there?
So my questions are what exactly is this SAML cookie being used for, and is the cookie code snippet from startup.cs above required because I haven’t found it mentioned in the docs yet? Thanks!
Not all flows require SAML session state. For example, IdP-initiated SSO when acting as the SP doesn’t require session state. However, SP-initiated SSO, whether acting as the IdP or SP, does. The simplest approach is to assume SAML session state is required and to support this through the required cookie policy.
The saml-session cookie requires SameSite=None. For more information on this, please refer to:
https://www.componentspace.com/Forums/10491/SAML-Cookie-SameSite-Mode-None
The MinimumSameSitePolicy isn’t used directly by the SAML library. Instead, this configuration is used by the Microsoft cookie policy middleware. If the MinimumSameSitePolicy is left to default to SameSiteMode.Lax, the middleware will change any cookies with SameSite=None to SameSite=Lax. Setting MinimumSameSitePolicy to SameSiteMode.None means the saml-session cookie can have SameSite=None. Other cookies can have whatever SameSite mode they require.
Cookies aren’t part of the SAML specification. They’re an implementation detail.
The saml-session cookie is used to maintain SAML session state in support of the SAML protocol. Not all protocol flows require state information but it’s simpler to assume session state is required and to support the use of the saml-session cookie. Setting the MinimumSameSitePolicy to SameSiteMode=None is required otherwise the cookie policy middleware will replace SameSiteMode=None with SameSiteMode=Lax for this and any other cookie with this mode.