[quote]My test server is Windows Server 2008 R2. It has the latest .Net Framework installed (4.8). We are using ComponentSpace 2.8.50. I added this line to web.config
I already had this line
Now I get the error
Parser Error Message: Unrecognized attribute 'cookieSameSite'. Note that attribute names are case-sensitive.
What is wrong? [/quote] Our testing was on Windows Server 2012. We haven't tested on 2008 but as far as I can tell as long as you have .NET framework v4.8 installed on the web server it should work.
Just to confirm, the element is in your section? If you remove the cookieSameSite="None" do you still get a parser error?
[/quote]Yes, the element is present. And I do not get the parser error if I remove the cookieSameSite="None" attribute. One other potential issue - this is a legacy app that is using the .Net framework 2.0 (actually 3.5). Could that be an issue? I also had another idea. What if I add the SameSite attribute to the Response cookie using an URL Rewrite outbound rule? Would that work?
[/quote]I haven't tried it but it's worth taking a look if you like. As long as you see the Secure and SameSite=None in the set-cookie header, that's all that's required.
Just to confirm, you have .NET framework v4.8 installed on the web server?
[/quote]Yes, I have .NET Framework 4.8 installed on the server.
[/quote]It might be related to the .NET framework v2.0. Our testing has been on the .NET framework v4.0 and above. You might have to contact Microsoft support for confirmation.
The other consideration is that not all SAML flows require the use of SAML state to work.
For example, if you're the SP and supporting IdP-initiated SSO flow, no SAML state is required. Therefore no changes would be required to support the Chrome updates.
Are you acting as the SP or IdP and are you supporting IdP-initiated or SP-initiated SSO? Are you supporting SAML logout?
[/quote]We are the SP, and we are supporting SP-initiated SSO. We do not support SAML logout.
I am currently experimenting with the URL rewrite outbound rule. If I am successful, I will post the method I used here in case someone else has an environment similar to mine.
[/quote]You probably can get away without the changes. It will mean one of the minor security checks won't be made. Specifically, we can't check the InResponseTo field of the SAML response without the saved SAML state. However, this isn't a major issue.
Thanks for volunteering to post the rewrite rule. That's very much appreciated.