Chrome 80 SameSite changes

Starting on February 17th 2020 Google will start adjusting how Chrome 80 sends cookies between different sites. This might break services connected to Feide, and means service providers MUST take action to ensure their services will still be able to login using Feide in the future.

The problem may affect logins, depending on how the service works, either for all, or some of the users. The problem will affect logouts when these are initiated from the Feide side, and may affect logouts initiated by the service.

Changes that need to be made on the Service Provider side

All SAML applications, and any OpenID Connect applications that use the form_post response mode may be affected. If the application depends on cookies to reconcile the response with its internal state and the cookies are not marked as SameSite=None it is affected. To address the issue service providers are advised to:

  • Review the list of unsupported browsers.
  • Adjust applications or update libraries as needed to ensure that SameSite=None is used for cookies. Please refer to SameSite cookie recipes for guidance on how to implement this fix for your use cases.

Changes being made on the Feide side

Please note that these changes only relate to the login service itself, and will not mitigate service specific issues as mentioned earlier.

  • The cookies that Feide uses for its authentication services will be changed to specifically set the SameSite attribute to None.
  • There will be additional fallback cookies set (with a _nss suffix) to handle the case of legacy browsers that do not support the SameSite=None setting.