Google is intending to change the way Chrome will manage cookies in 2024 and it is expected to impact some SiteMinder use cases.
The change and the timing of the change can be found at this link --> https://developer.chrome.com/blog/cookie-countdown-2023oct
Impacted versions: All versions
- The SiteMinder team has been testing the impact of the intended Chrome change and to date, we have identified two single-log-out (SLO) use cases, in the federation group of use cases, which will fail with the change Google is intending.
Use case that will fail |
Where that use case is described in the current SiteMinder documentation |
Logout at IdP when SiteMinder acts as IdP and SP in a WS-FED SLO (All Versions) |
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/How-SiteMinder-Avoids-Impact-of-the-Default-Behavior-of-Google-Chrome-80-for-SameSite-Cookie-Attribute/Recommended-Settings-for-Impacted-Use-Cases.html |
Front Channel SLO in OIDC (12.8 SP8) |
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/use-siteminder-as-openid-connect-provider/front-channel-slo-in-siteminder-oidc.html |
Out of the box, these use cases use iframes within signoutconfirmurl.jsp and oidcsignoutconfirmurl.jsp , respectively, Chrome , with the intended 2024 configuration change, will block the use of the cookie in these flows.
- Additional tests revealed NTLM and Kerberos impacted cases as follows
Use case that will fail |
Description of the use case |
URL within iframes protected with NTLM or Kerberos authentication will fail. |
NTLM and Kerberos authentication does not work with iframes in third-party contexts. Blocking third-party cookies suppresses HTTP Negotiate/NTLM Authentication for iframes in 3rd party contexts. The following link explains the same. https://bugs.chromium.org/p/chromium/issues/detail?id=1154281 |
** The SiteMinder team will:
• continue testing the Chrome change across more use cases until we have completed 100% of our intended testing.
• update the information we provide to you (see below about the KBA) about progress toward the target of 100% of test cases executed.
• work on alternate designs for the use cases that will be disrupted by Chrome changes.
This KB article will be updated weekly to communicate our progress: KBA URL
** We encourage you to:
• familiarize yourself with Google’s intended changes
• assess the implication of these changes to your applications.
• execute tests with the configuration option that Google has made available in Chrome and report to us, via a support case, any additional SiteMinder use cases that fail in your environment.
• contact Google (information on how to do that is found at the Google link above) for additional information about how Chrome changes may impact your applications, but are external to SiteMinder’s functioning.