Our authenticatoin team made an adjustment to the SAML flow, and we’re hitting a case where users are having to re-auth any visit (or even after logging in and then opening another tab and htiting the appliance CNAME url again).
I was asked by the team that runs our auth if there’s a way to get the “sameSite” value to None instead of the current value of “sameSite=Lax” that’s currently being sent, but I can’t see any config option in the Tenant Auth settings.
Are you navigating to the url defined in your /etc/morpheus/morpheus.rb file? Also on your saml configuration, is it using the matching url of your morpheus.rb
The morpheus.rb contains the actual A record FQDN under the appliance_url, as does our SAML SSO entry in the Morpheus Tenant, but we do have 2 CNAME values that are more often used by end users for the more user friendly aspect, and those CNAMEs are where the re-auth even in a new tab is occurring that hadn’t prior to the auth flow adjustment.
Historically, this only seemed to impact the main logo on the login page in Morpheus, everything else worked fine. I believe the identity group switched to a shibboleth-proxy approach now for the SAML from what they were doing, but with that and I’m not sure what else may be in place on their end (or partly reverted), the CNAME aspects are causing the repeat requests for full auth even in a new tab.
The change did impact the initial login with the A record FQDN as well, as it doesn’t pick up the existing SAML session in the browser and roll, but that’s more of a “one time until things time out later deal” vs what we’re seeing with the CNAMEs.
Hopefully that helps with the back story with what I do know. With the above said, that’s where things are and the reason for the request from our IAM group around the sameSite=None request
The default behavior of all browsers is sameSite=Lax. From a security standpoint sameSite=Lax or Strict are the recommendations. Not all browsers support None and the changes required to Secure cookie flags.
We have [if I had to guess] 70% of our customers using some SAML provider for authentication. I would be curious what changes in flow were changed from the IDM side of things that’s changing your behavior.
Also, if you are navigating to a page by the CNAME but the morpheus.rb has the FQDN defined, your cookies will always mismatch. This is probably why the recommendation of NONE is given, to ignore the protocols to check origin of authentication. To me, the recommendation would be have the morpheus.rb match whatever URL your users are utilizing. It should be one or the other to avoid redirect / CORS / sameSite issues.
After talking to the contact in the identity group, I think we’re going to look at shifting to an alternative auth method we’re using with our dev instance which should make the overall process smoother.