libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-14103 Document setting of SameSite to None for Wildfly/EAP and Tomcat

Browse source
This commit is contained in:
mhajas 2020-06-02 12:22:34 +02:00 committed by Hynek Mlnařík
parent 073813d5c5
commit 5675da5ac3
4 changed files with 55 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
release_notes/topics/11_0_0.adoc
View file

@ -21,6 +21,15 @@ Keycloak server was upgraded to use WildFly 20.0.1.Final under the covers. For m
please take a look at link:{upgradingguide_link_latest}[{upgradingguide_name}].
== SAML POST binding is broken in the latest versions of browsers
The `SameSite` value `None` for `JSESSIONID` cookie is necessary for correct behavior of the {project_name} SAML adapter.
Usage of a different value is causing resetting of the container's session with each request to {project_name}, when
the SAML POST binging is used. Refer to the following steps for
link:{adapterguide_link}#_saml-jboss-adapter-samesite-setting[Wildfly] and
link:{adapterguide_link}#_saml-tomcat-adapter-samesite-setting[Tomcat] to keep the correct behavior. Notice, that this
workaround should be working also with the previous versions of the adapter.
== Other improvements

2
securing_apps/topics.adoc
View file

@ -79,6 +79,7 @@ include::topics/saml/java/general-config/idp_keys_subelement.adoc[]
include::topics/saml/java/general-config/idp_httpclient_subelement.adoc[]
include::topics/saml/java/saml-jboss-adapter.adoc[]
include::topics/saml/java/jboss-adapter/jboss_adapter_installation.adoc[]
include::topics/saml/java/jboss-adapter/jboss-adapter-samesite-setting.adoc[]
include::topics/saml/java/jboss-adapter/jboss-adapter-rpms.adoc[]
include::topics/saml/java/jboss-adapter/required_per_war_configuration.adoc[]
include::topics/saml/java/jboss-adapter/securing_wars.adoc[]
@ -86,6 +87,7 @@ ifeval::[{project_community}==true]
include::topics/saml/java/tomcat-adapter.adoc[]
include::topics/saml/java/tomcat-adapter/tomcat_adapter_installation.adoc[]
include::topics/saml/java/tomcat-adapter/tomcat_adapter_per_war_config.adoc[]
include::topics/saml/java/tomcat-adapter/tomcat-adapter-samesite-setting.adoc[]
include::topics/saml/java/jetty-adapter.adoc[]
include::topics/saml/java/jetty-adapter/jetty9_installation.adoc[]
include::topics/saml/java/jetty-adapter/jetty9_per_war_config.adoc[]

20
securing_apps/topics/saml/java/jboss-adapter/jboss-adapter-samesite-setting.adoc Normal file
View file

@ -0,0 +1,20 @@
[[_saml-jboss-adapter-samesite-setting]]
===== Setting SameSite value for JSESSIONID cookie
Browsers are planning to set the default value for the `SameSite` attribute for cookies to `Lax`. This setting means
that cookies will be sent to applications only if the request originates in the same domain. This behavior can affect
the SAML POST binding which may become non-functional. To preserve full functionality of the SAML adapter, we recommend
setting the `SameSite` value to `None` for the `JSESSIONID` cookie created by your container. Not doing so may result in
resetting the container's session with each request to {project_name}.
NOTE: To avoid setting the `SameSite` attribute to `None`, consider switching to the REDIRECT binding
if it is acceptable, or to OIDC protocol where this workaround is not necessary.
To set the `SameSite` value to `None` for the `JSESSIONID` cookie in Wildfly/EAP, add a file `undertow-handlers.conf`
with the following content to the `WEB-INF` directory of your application.
samesite-cookie(mode=None, cookie-pattern=JSESSIONID)
The support for this configuration is available in Wildfly from version 19.1.0.

24
securing_apps/topics/saml/java/tomcat-adapter/tomcat-adapter-samesite-setting.adoc Normal file
View file

@ -0,0 +1,24 @@
[[_saml-tomcat-adapter-samesite-setting]]
===== Setting SameSite value for JSESSIONID cookie
Browsers are planning to set the default value for the `SameSite` attribute for cookies to `Lax`. This setting means
that cookies will be sent to applications only if the request originates in the same domain. This behavior can affect
the SAML POST binding which may become non-functional. To preserve full functionality of the SAML adapter, we recommend
setting the `SameSite` value to `None` for the `JSESSIONID` cookie created by your container. Not doing so may result in
resetting the container's session with each request to {project_name}.
NOTE: To avoid setting the `SameSite` attribute to `None`, consider switching to the REDIRECT binding
if it is acceptable, or to OIDC protocol where this workaround is not necessary.
To set the `SameSite` value to `None` for `JSESSIONID` cookie in Tomcat add following configuration to the`context.xml`
of your application. Note, this will set the `SameSite` value to `None` for all cookies created by Tomcat container.
[source,xml]
----
<CookieProcessor sameSiteCookies="None" />
----
WARNING: It is not possible to set the `SameSite` attribute only to a subset of cookies, therefore all cookies created
for your application will have this attribute set to `None`.
The support for this feature is available in Tomcat from versions 9.0.29 and 8.5.49.