The Microsoft article Work with SameSite cookies in ASP.NET describes the SameSite cookie support added to ASP.NET 4.7.2 and 4.8.
By default, no SameSite mode is specified and the Secure flag is false.
This can be overridden using the setting in the <system.web> section of web.config.
For example, the following configuration defaults all cookie to SameSite=Lax and Secure.
The SAML_SessionID cookie must include SameSite=None and Secure.
ASP.NET 4.8
If targeting ASP.NET 4.8, there are no issues associated with the SAML_SessionID cookie and the setting.
Regardless of the setting, the SAML_SessionID cookie will include SameSite=None and Secure.
Prior to ASP.NET 4.8
If the setting isn’t specified, there are no issues associated with the SAML_SessionID cookie. It will include SameSite=None and Secure.
If is specified, there are no issues associated with the SAML_SessionID cookie.
However, if or is specified, the following must be added to web.config to ensure the default cookie settings are not used for the SAML_SessionId cookie.
<system.webServer>
</system.webServer>