[DOCU-2184] Document SSO infinite loop with sameSiteCookies="strict" Created: 20/May/21  Updated: 04/Jun/21  Resolved: 21/May/21

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Neutral
Reporter: Mikaël Geljić Assignee: Martin Drápela
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: JPEG File mpv-shot0001.jpg    
Issue Links:
Relates
relates to MGNLTOMCAT-19 Set sameSiteCookies policy to Lax by ... Closed
Documentation page URL: https://docs.magnolia-cms.com/product-docs/Modules/List-of-modules/SSO-module.html

 Description   

Strict is currently the default as of 6.2.8.

By browsing the HELPDESK-1541 ticket now, I however realize that this was observed with the old SSO connector from services. Not the productized one that we document here.

Maybe it is also affected or deserves an update of pac4j.
Feel free to close or move if irrelevant.



 Comments   
Comment by Maxime Michel [ 20/May/21 ]

The pac4j-based module doesn't run into an infinite loop but can't wrap the login flow successfully either.

Comment by Mikaël Geljić [ 20/May/21 ]

Thanks! Jan actually suggested to document this on Tomcat level instead (and maybe in Troubleshooting), less so about SSO itself. There it would apply more broadly. Whether we change default value or not, the note could go like:

Unable to sign in with SSO / OpenID Connect setup

Make sure your Tomcat configuration's CookieProcessor does not have the sameSiteCookies set to Strict. Lax supports OpenID's top-level redirects, while maintaining decent protection against CSRF.

Generated at Mon Feb 12 01:24:47 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.