Forum Discussion

AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
May 28, 2023

samesite cookie for SAML authentication

Hi

I'm using https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-per-request-policies/implementing-seamless-sso-azure-saml-mfa/azure-ad-creating-local-service-provider-main-authentication.html to setup and test

F5 SP

MS Azure iDP

and I am using F5 script for setting cookies (F5 APM / ASM) samesite attributes, basically https://community.f5.com/t5/technical-articles/irule-to-set-samesite-for-compatible-clients-and-remove-it-for/ta-p/278650

My issue is the return call from MS Azure is a 302 redirect back to the F5. the browser (Edge / Firefox) is not sending any of the F5 cookies.

 

I presume because MRHSession is not being sent a new session is being created which breacks the SAML auth.

 

I have samesite for this and all F5 to secure  / http only / samesite => lax

 

it looks like i need to set samesite to none for MRHsession

are other facing this problem if so how are you dealing with it - I am thinking of making this change just for my SP VS/domain

is there another solution ?

 

 

 

 

 

1 Reply

  • Come back to add some info for this

    MRHSession cookie needs to be set to samesite="none" for saml redirect to work  - simple as that 😞

    Thats what I have done on my SP