Hi All,
I am using SAML version 2.6.0.8 in my site and followed the below steps to make it compatible to chrome update but when i check it in browser samsite mode=none is not visible(Screen shot attached).
What to do ifusing SAML Library releases from v2.5.0 but earlier than v3.0.0
SAML library v2.5.0 introduced the SAMLhigh-level API which uses a cookie to maintain SAML session state.<spanstyle=‘font-size:10.0pt;font-family:“arial”,sans-serif;color:black’>
The ASP.NET session cookie, rather than aseparate SAML session cookie, is used to maintain SAML session state.
The ASP.NET session cookie must include aSameSite value of None and should be marked as secure.
To achieve this:
1. Update the web server to the latest ASP.NETrelease (ie ASP.NET v4.8 or later) to pick up the runtime support for SameSite.
Note that the application may continue to targetan earlier version of the .NET framework. For example, your application’s projectmay continue to target .NET framework v4.0 but you need to update the webserver to ASP.NET v4.8.
2. Update the application’s web.config tospecify the following.<o:p></o:p></spanstyle=‘font-size:10.0pt;font-family:“arial”,sans-serif;color:black’>
<spanstyle=‘font-size:10.0pt;font-family:courier;color:darkblue’>
<o:p></o:p></spanstyle=‘font-size:10.0pt;font-family:courier;color:darkblue’>
3. Confirm that SameSite is working as describedin the section below.
Without these changes, the SameSite parameter ismissing or set to either Lax or Strict.<o:p></o:p>
<spanstyle=‘font-size:10.0pt;font-family:courier;color:darkblue’>
set-cookie: ASP.NET_SessionId=dwhtw4ajbxblp5pw5arwf0ww; path=/; HttpOnly<o:p></o:p></spanstyle=‘font-size:10.0pt;font-family:courier;color:darkblue’>
After these changes, the SameSite parameter isincluded.<o:p></o:p>
<spanstyle=‘font-size:10.0pt;font-family:courier;color:darkblue’>
set-cookie: ASP.NET_SessionId=2s2wesefh0cohv0ugctun4hl; path=/; secure;HttpOnly; SameSite=None<o:p></o:p></spanstyle=‘font-size:10.0pt;font-family:courier;color:darkblue’>
Note though that if the ASP.NET update hasn’tbeen installed on the web server, the unrecognized cookieSameSite attributewill result in an “Unrecognized attribute” configuration error at runtime.
These changes are not required if calling theSAML low-level API rather than the more commonly used SAML high-level API.
<spanstyle=‘font-size:9.0pt;font-family:“arial”,sans-serif;color:black’><o:p></o:p></spanstyle=‘font-size:9.0pt;font-family:“arial”,sans-serif;color:black’>
Please update if i am missing anything.
The same is coming to me also, We are using 2.6.0.16 Version.
we are using the below namespaces
using ComponentSpace.SAML2;
using ComponentSpace.SAML2.Assertions;
using ComponentSpace.SAML2.Protocols;
using ComponentSpace.SAML2.Profiles.SSOBrowser;
using ComponentSpace.SAML2.Configuration;
Is it belongs to LOW-LEVEL or HIGH-LEVEL api
Please confirm…
Thank You
We haven’t been able to reproduce this issue.
This is standard Microsoft functionality that we’re reliant on. It’s not code that we’ve written.
Have you tried this on different web servers or in your development environment?
If you remove from web.config, does this result in the Secure flag not being set?
I just want to see if either of the web.config changes are in effect.
Hi
we are using the below namespaces
using ComponentSpace.SAML2;
using ComponentSpace.SAML2.Assertions;
using ComponentSpace.SAML2.Protocols;
using ComponentSpace.SAML2.Profiles.SSOBrowser;
using ComponentSpace.SAML2.Configuration;
Is it belongs to LOW-LEVEL or HIGH-LEVEL api
OR
any measure to find out for the LOW-HIGH level
Please confirm…
Thank You
[quote]ComponentSpace - 1/31/2020
We haven't been able to reproduce this issue.
This is standard Microsoft functionality that we're reliant on. It's not code that we've written.
Have you tried this on different web servers or in your development environment?
If you remove from web.config, does this result in the Secure flag not being set?
I just want to see if either of the web.config changes are in effect.
Yes web.config changes are in effect, as on removing from web.config, the secure flag is removed.
[quote]Hi
we are using the below namespaces
using ComponentSpace.SAML2;
using ComponentSpace.SAML2.Assertions;
using ComponentSpace.SAML2.Protocols;
using ComponentSpace.SAML2.Profiles.SSOBrowser;
using ComponentSpace.SAML2.Configuration;
Is it belongs to LOW-LEVEL or HIGH-LEVEL api
OR
any measure to find out for the LOW-HIGH level
Please confirm..
Thank You
The SAML high-level API consists of the SAMLIdentityProvider and SAMLServiceProvider classes in the ComponentSpace.SAML2 namespace. Other classes, including those in the ComponentSpace.SAML2.Assertions and ComponentSpace.SAML2.Protocols namespaces are part of the SAML low-level API.
The SAML low-level API doesn't use a cookie.
[quote]ComponentSpace - 1/31/2020
We haven't been able to reproduce this issue.
This is standard Microsoft functionality that we're reliant on. It's not code that we've written.
Have you tried this on different web servers or in your development environment?
If you remove from web.config, does this result in the Secure flag not being set?
I just want to see if either of the web.config changes are in effect.
Yes web.config changes are in effect, as on removing from web.config, the secure flag is removed.
[/quote]Thanks for the confirmation.
In our test environment all we had to do to get this to work was to install the .NET Framework v4.8 on the web server.
Prior to installing v4.8, the unrecognized cookieSameSite attribute resulted in an “Unrecognized attribute” configuration error at runtime.
You're not receiving an error but it sounds like the cookieSameSite attribute is being ignored.
I've included links to the Microsoft documentation below.
https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection?view=netframework-4.8https://docs.microsoft.com/en-us/dotnet/api/system.web.samesitemode?view=netframework-4.8The second link includes the following comments:
"The behavior of None was modified by updates described in KB article 4531182 and KB article 4524421.
Without these updates, the None value does not emit the SameSite cookie header. This conforms to
https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1."Please ensure your server is up to date and specifically the relevant KB updates are installed.
[quote]Hi
we are using the below namespaces
using ComponentSpace.SAML2;
using ComponentSpace.SAML2.Assertions;
using ComponentSpace.SAML2.Protocols;
using ComponentSpace.SAML2.Profiles.SSOBrowser;
using ComponentSpace.SAML2.Configuration;
Is it belongs to LOW-LEVEL or HIGH-LEVEL api
OR
any measure to find out for the LOW-HIGH level
Please confirm..
Thank You
The SAML high-level API consists of the SAMLIdentityProvider and SAMLServiceProvider classes in the ComponentSpace.SAML2 namespace. Other classes, including those in the ComponentSpace.SAML2.Assertions and ComponentSpace.SAML2.Protocols namespaces are part of the SAML low-level API.
The SAML low-level API doesn't use a cookie.
[/quote]Is there a way to know what namespaces are high-level vs low-level?
We are using ComponentSpace.SAML2.Data, ComponentSpace.SAML2.Configuration and ComponentSpace.SAML2.Protocols.Certificates.
The SAML high-level API consists of the SAMLIdentityProvider and SAMLServiceProvider classes in the ComponentSpace.SAML2 namespace. Other classes, including those in the ComponentSpace.SAML2.Assertions and ComponentSpace.SAML2.Protocols namespaces are part of the SAML low-level API.
We are installed .NET Frame Work 4.8 in the System
Using Chrome Version 80.0.3987.85 (Official Build) beta (64-bit)
Using ComponentSpace.SAML2.dll Version 2.6.0.16
And We are using .NET Frame Work 4.5 for Application
And in Application Web.config we changed the below
But "SameSite"is showing empty…
any suggesstion please.
The Microsoft at the following link says:
https://docs.microsoft.com/en-us/dotnet/api/system.web.samesitemode?view=netframework-4.8
“The behavior of None was modified by updates described in KB article 4531182 and KB article 4524421. Without these updates, the None value does not emit the SameSite cookie header.”
Please ensure your web server is up to date and specifically the KB updates have been applied.
These are also available through KB article 4535104.