inc-ops-notifications - [InCommon NOTICE] IMPORTANT: Changes to browsers may impact your connections in InCommon
Subject: InCommon Operations Notifications
List archive
[InCommon NOTICE] IMPORTANT: Changes to browsers may impact your connections in InCommon
Chronological Thread
- From: "Nicholas Roy" <>
- To: , ,
- Subject: [InCommon NOTICE] IMPORTANT: Changes to browsers may impact your connections in InCommon
- Date: Wed, 05 Feb 2020 15:20:53 -0700
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=internet2.edu; dmarc=pass action=none header.from=internet2.edu; dkim=pass header.d=internet2.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=W58TbDN3NUvkTT7GxDSTvAZ4yuoAuGyXHkO2hQKwiOU=; b=dIBUr4qptwqJxgVVSBs5AcnsYlkwNI94TWtdTZiCcQ4jMbPKbaoPciyMuPFeOshYPn/qVpPTygw9ECgongjTU0KCj3m5TGrEAe0NLLxCmJyiGISJ4aVRbfdauUCAx0SkMz5i44ec2ROfhzjHGvpiJXjBgNXD+UpFDA7gjNXxPfuMsWlXKvTRCKV30HtQh/T6U/5HapB3WjSLwnHqRhWyPYENbaC8HBZrZHPHSEDsB5jjeJnzeLIVtb9BXHAz3aD1Ehf0lrej5ZZMAd8PFDfTxuCwUzd3ftbfN78qQ0LRI7t9FC5p5n2gTx2cR2sfn4CCVdWOrzY7QnpltIUmHgOTVg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f0+NJ9baaGedZc20UI8h77YwN3Ssw3sMHjfdi71kpyPq1W38zqYq/s6pjPl0B97AMeZAgdor82dxdSVEYhOrerwWCCH4s4Z/Tg7HZ21W3/ThsEzQmIhlDQrb9jjZrMkMubQrEMrPExYmqNTe5ySqe7WztJGbWYoYyKHsFqtvt2eqWVhktkUKU1fRTg8CbiUErz2HlYctWoH/0AwuKk3NlBwF3+IHA5M087UUr/RKsUTBJls+jhELzeEVHs8JBFBveVuOC/ARB6F76zKQrPmmaTreAmQaf8zy3tEgADWJkCyLcukQW/6QixF2URTw+2SfVq3HyEetUMjwKhBUlWlEIw==
Hello,
In recent weeks, browsers such as Chrome
(https://www.chromium.org/updates/same-site), Firefox, and Safari
(https://bugs.webkit.org/show_bug.cgi?id=198181) have begun changing the
default behavior of session cookies. These changes will impact all
browser-mediated single sign-on protocols, as well as other web applications.
The browsers will start to enforce tighter controls around cookies perceived
as “cross-site”. Unfortunately, these are exactly the types of cookies that
make efficient web single sign-on work correctly. Technical professionals
responsible for their organization’s integrations with federation, single
sign-on, and related technologies, are advised to read more about this issue,
here: https://wiki.shibboleth.net/confluence/display/DEV/IdP+SameSite+Testing.
You may need to change how your SAML service provider and/or identity
provider software stores session state. It is recommended that Service
Providers take advantage of memory-based session caches, per their SAML
software’s documentation. For Shibboleth Service Provider, please see:
https://wiki.shibboleth.net/confluence/display/SP3/SameSite. For Shibboleth
Identity Provider, please see:
https://wiki.shibboleth.net/confluence/display/IDP30/SameSite. Identity
Providers and Service Providers should consider if and how this will impact
their integrations using InCommon or bi-laterally, and determine if changes
are needed to their configurations.
Deployers of Shibboleth, SimpleSAMLphp, and SATOSA all have viable
work-arounds they can use that are known to alleviate the SameSite issue, at
least for the time being. The state of other software is out of the scope of
this advisory.
To discuss this issue with others in the InCommon community, we recommend you
subscribe to the mailing list, at
https://lists.incommon.org, and post there.
Thank you,
Nick Roy
on behalf of the InCommon Technical Advisory Committee (InC-TAC) and the
Community Architecture Committee for Trust and Identity (CACTI)
Attachment:
signature.asc
Description: OpenPGP digital signature
- [InCommon NOTICE] IMPORTANT: Changes to browsers may impact your connections in InCommon, Nicholas Roy, 02/05/2020
Archive powered by MHonArc 2.6.19.