Chrome Samesite - cross domain iframe use-case

book

Article ID: 195343

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running 3 Web Agents and when a user accesses a page having
iframe which get the page from another Web Agent and different domain,
then the SMSESSION cookie is not sent to that Web Agent and the page
is sent back to the cookie provider.

We run the following scenario :

    1. When user accesses Application 1 URL on the Chrome 80 version,
       Application 1 URL works well;
    2. Now Application 1 calls Application 2 using iframe;
    3. Application 2 has no cookie in browser, so it redirects the
       browser to Cookie Provider and then the browser enters a loop
       which ends with error :

       wa.training.com redirected you too many times

    4. We've tried to set "getcpcookie=yes" in our Cookie Provider
       instance, but still issue is reproduced;

How can we fix that ?

Configuration :

  Cookie provider URL = http://wa.training.com/smmakecookie.ccc
  Cookie provider cookie domain = .training.com
  Cookie provider samesite value = none

  Application 1 URL = http://mywa.mydomain-abc.com/index.html
  Application 1 cookie domain = .mydomain-abc.com
  Application 1 cookie provider URL = http://wa.training.com/smmakecookie.ccc
  Application 1 samesite value = nothing set, so the browser takes it as LAX

  Application 2 URL = http://mywa.mydomain-xyz.com/index.html 
  Application 2 cookie domain = .mydomain-xyz.com
  Applicaiton 2 cookie provider URL = http://wa.training.com/smmakecookie.ccc
  Application 2 samesite value = nothing set, so the browser takes it as LAX

 

Environment

 

  3 Web Agents 12.52SP1CR10 with SameSite patches 64bit on Apache 2.4 64bit on RedHat 6;
  Policy server 12.8SP3 on RedHat6;

 

Resolution

 

The use case involes 2 of the use cases described from our
documentation :

  Recommended Settings for Impacted Use Cases

    - Cookie provider flow for any POST request to an application;
    - SSO between applications when a SMSESSION cookie exists and a POST
      request is initiated from cross-site;

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/How-SiteMinder-Avoids-Impact-of-the-Default-Behavior-of-Google-Chrome-80-for-SameSite-Cookie-Attribute/Recommended-Settings-for-Impacted-Use-Cases.html

As such, you need to apply the samesite fix on the 3 Web Agents.

The following iframe code on the page will make the use case working
with Internet Explorer and using HTML Form Authentication Scheme.

The target page served by app 1 mywa.mydomain-abc.com :

  <!DOCTYPE html>
  <html>
  <body>

  <h1>The iframe element</h1>

  This is test page

  <form action="action" method="post" target="output_frame">
      <!-- input elements here -->
  </form>
  <iframe name="output_frame" src="http://mywa.mydomain-xyz.com/home/index.html" id="output_frame">
  </iframe>

  </body>
  </html>

The http://mywa.mydomain-xyz.com/home/index.html resource has this code :

  <html>home</html>

We configured the first the Cookie Provider and both Web Agent that way :

wa.training.com (cookie provider) :

  [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomain='.training.com'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomainscope='0'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] enablecookieprovider='yes'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] limitcookieprovider='no'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] trackcpsessiondomain='yes'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] tracksessiondomain='no'.

mywa.mydomain-abc.com (app 1)

  [5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomain=''.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomainscope='0'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] cookieprovider='http://wa.training.com/smmakecookie.ccc'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] enablecookieprovider='no'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] limitcookieprovider='no'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] tracksessiondomain='no'.

mywa.mydomain-xyz.com (app 2 embedded iframe in mywa-mydomain-abc.com)

  [5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomain=''.
  [5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomainscope='0'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] cookieprovider='http://wa.training.com/smmakecookie.ccc'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] enablecookieprovider='no'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] limitcookieprovider='no'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] tracksessiondomain='no'.

With iexplore (Internet explorer) it works as we need to log in only
once at mywa.mydomain-abc.com and get embedded mywa.mydomain-xyz.com.

With chrome (Google Chrome) it doesn't work as we need to log in at
mywa.mydomain-abc.com and we're asked again to login in
mywa.mydomain-xyz.com. We see that after trying to reach
mywa.mydomain-xyz.com, the browser gets redirected to the Cookie
Provider. The cookie for the Cookie provider isn't sent, so the Cookie
Provider cannot create one for mywa.mydomain-xyz.com.

Changing the configuration on the Cookie Provider to use the ACO
parameter from the Samesite enhancement :

wa.training.com (cookie provider) :

  [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomain='.training.com'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomainscope='0'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] enablecookieprovider='yes'.
  [6054/3339433728][Fri Jul 10 2020 11:09:59] getcpcookie='yes'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] limitcookieprovider='no'.
  [6054/3339433728][Fri Jul 10 2020 11:09:59] samesite='None'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] trackcpsessiondomain='yes'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] tracksessiondomain='no'.

Now, with chrome (Google Chrome) it doesn't work as we need to log in
only once at mywa.mydomain-abc.com and then the resource from
mywa.mydomain-xyz.com doesn't show up. In fiddler traces, we see that
after trying to reach mywa.mydomain-xyz.com, the browser gets
redirected the cookie for the Cookie provider. But this time a cookie
is sent for mydomain-xyz.com domain, but the Agent from
mydomain-xyz.com goes back to the Cookie Provider in a loop because
the Cookie Provider doesn't receive the expected cookie. The browser
shows then the following error :

  wa.training.com redirected you too many times.

Finally, if we keep the Cookie Provider with the same configuration
and we've added the Samesite ACO for both the other Web Agents :

wa.training.com (cookie provider) :

  [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomain='.training.com'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomainscope='0'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] enablecookieprovider='yes'.
  [6054/3339433728][Fri Jul 10 2020 11:09:59] getcpcookie='yes'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] limitcookieprovider='no'.
  [6054/3339433728][Fri Jul 10 2020 11:09:59] samesite='None'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] trackcpsessiondomain='yes'.
  [6054/3339433728][Fri Jul 10 2020 10:55:21] tracksessiondomain='no'.

mywa.mydomain-abc.com (app 1)

  [5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomain=''.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomainscope='0'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] cookieprovider='http://wa.training.com/smmakecookie.ccc'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] enablecookieprovider='no'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] limitcookieprovider='no'.
  [5505/2828023552][Fri Jul 10 2020 11:09:59] samesite='None'.
  [5505/2828023552][Fri Jul 10 2020 10:48:12] tracksessiondomain='no'.

mywa.mydomain-xyz.com (app 2 embedded iframe in mywa-mydomain-abc.com)

  [5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomain=''.
  [5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomainscope='0'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] cookieprovider='http://wa.training.com/smmakecookie.ccc'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] enablecookieprovider='no'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] limitcookieprovider='no'.
  [5512/991487744][Fri Jul 10 2020 11:09:59] samesite='None'.
  [5512/991487744][Fri Jul 10 2020 10:48:47] tracksessiondomain='no'.

then the use case works as expected. We need to log in only once at
mywa.mydomain-abc.com, and we can see the iframe embedded page at
mydomain-xyz.com gets its expected cookie and shows up in the
mydomain-abc.com :

  http://mywa.mydomain-abc.com/home/index.html

  The iframe element
  This is test page

  +------+
  | home |
  |      |
  |      |
  +------+