When VIP SaaS is integrated with the Siteminder flow, a user initiates the password change request within an iFrame and gets an error message: viplogin.signedout.1, viplogin.signedout.1.

Screenshots:

VIP Service

1. VIP receives the AuthN request.
2. VIP locates the User ID and retrieves the user information (including the account policy).
3. VIP attempts to display the MFA page.
4. The page load fails due to Chrome blocking the session cookie (from the initial request).
5. VIP displays a partially rendered error page due to the lack of language translation when the session is not found and the language is null. 

Request URL: https://login.vip.symantec.com/viplogin/translation?lang=server_pick
HTTP Version: HTTP/1.1
Request method: GET
Response: 500 Internal Server Error HTTP/1.1

Broadcom development team implemented a change to support the VIPLogin to explicitly set  'SameSite=None'  in our January 2025 maintenance release (BRCMVIP-6573). 

• https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip/cloud/vip-authentication-service-documentation-v127601624-d2278e47/VIP-Authentication-Services-Release-Notes/about-these-release-notes-v128468078-d2358e8/what-s-new-in-v130492880-d2358e39.html

 Other option if problem is still occurring:

VIP uses session cookies for management. The Password Reset request (request to VIP https://login.vip.symantec.com/viplogin) is not the original domain in the parent browser address bar https://example.com. It is a cross-site request since the URLs are different. Chrome detects the mismatch between login.vip.symantec and example.com, and blocks the transactions. 

Blocking of the third-party cookies was introduced in Chrome 85 to protect against Cross-Site Request Forgery (CSRF).

Recommendations:

• Use the Firefox browser.
• Execute Password Reset requests in a separate tab rather than an iframe.