ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How do I disable the SameSite feature in the Chrome Browser

book

Article ID: 145668

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

I am unable to apply the SiteMinder tactical enhancement 'SameSite' patches throughout my environment, and I have users that must gain access to my environment which includes Cross-Domain POST requests, and they are being prevented access or being re-prompted since they have on of the browsers where Google has enabled the new 'SameSite' behavior.

Cause

With the release of the Chrome 80 Browser, Google has configured a small percentage of those released browser versions with the new Chrome 'SameSite' behavior enabled by default. This affects the way in which the Browser will treat cookies that do not include a 'SameSite' flag. If a cookie does not contain the 'SameSite' flag, the Chrome Browser with the 'SameSite' feature enabled will treat that cookie as if it's setting was "LAX".

The Chrome Browsers with the 'SameSite' feature enabled will not present a cookie for a Cross-Domain POST request, unless the cookie has a 'SameSite' flag set to "none" and the SECURE flag is also set on the cookie, thus requiring the Cross-Domain POST to be over HTTPS.

Environment

Release : R12.52 SP1 CR-x, 12.6x, 12.7x, and 12.8x

Component : SITEMINDER -Web Agent, WAOP, AccessGateway

Resolution

To disable the Chrome 'SameSite' feature;

Chrome Browser Flags chrome://flags

Chrome has below two flags:


Set both of these flags to "Disabled".

Restart the browser for the changes to take effect.

Additional Information

Please refer to the following Chromium.org links for information on the ‘SameSite’ feature;

https://www.chromium.org/updates/same-site

https://www.chromium.org/administrators/policy-list-3/cookie-legacy-samesite-policies


Please refer to the following Communities Post which explains this Broadcom solution for the Google Chrome 80 'SameSite' behavior;

https://community.broadcom.com/enterprisesoftware/communities/community-home/digestviewer/viewthread?MessageKey=2b29c302-4e89-431b-aaf1-de90c616fca5&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295&tab=digestviewer#bm2b29c302-4e89-431b-aaf1-de90c616fca5