From 8659b670ab4c404c44ab10623a65b20974f19c0a Mon Sep 17 00:00:00 2001 From: mhajas Date: Thu, 11 Jun 2020 11:06:11 +0200 Subject: [PATCH] KEYCLOAK-14105 Document setting SameSite to None for mod_auth_mellon --- .../topics/saml/mod-auth-mellon.adoc | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/securing_apps/topics/saml/mod-auth-mellon.adoc b/securing_apps/topics/saml/mod-auth-mellon.adoc index ff38431a71..dd8e2e557e 100644 --- a/securing_apps/topics/saml/mod-auth-mellon.adoc +++ b/securing_apps/topics/saml/mod-auth-mellon.adoc @@ -2,7 +2,7 @@ === mod_auth_mellon Apache HTTPD Module -The https://github.com/UNINETT/mod_auth_mellon[mod_auth_mellon] module is an Apache HTTPD plugin for SAML. If your language/environment supports using Apache HTTPD as a proxy, then you can use mod_auth_mellon to secure your web application with SAML. For more details on this module see the _mod_auth_mellon_ GitHub repo. +The https://github.com/latchset/mod_auth_mellon[mod_auth_mellon] module is an Apache HTTPD plugin for SAML. If your language/environment supports using Apache HTTPD as a proxy, then you can use mod_auth_mellon to secure your web application with SAML. For more details on this module see the _mod_auth_mellon_ GitHub repo. To configure mod_auth_mellon you'll need: @@ -91,6 +91,25 @@ To configure the Mellon service provider, complete the following steps: NOTE: Some of the files referenced in the code above are created in later steps. +==== Setting the SameSite value for the cookie used by mod_auth_mellon + +Browsers are planning to set the default value for the `SameSite` attribute for cookies to `Lax`. This setting means +that cookies will be sent to applications only if the request originates in the same domain. This behavior can affect +the SAML POST binding which may become non-functional. To preserve full functionality of the _mod_auth_mellon_ module, +we recommend setting the `SameSite` value to `None` for the cookie created by _mod_auth_mellon_. Not doing so may result +in an inability to login using {project_name}. + +To set the `SameSite` value to `None`, add the following configuration to `` tag within your `mellon.conf` +file. + +[source,xml] +---- +MellonSecureCookie On +MellonCookieSameSite none +---- + +The support for this configuration is available in the _mod_auth_mellon_ module from version 0.16.0. + ===== Creating the Service Provider Metadata In SAML IdPs and SPs exchange SAML metadata, which is in XML format. The schema for the metadata is a standard, thus assuring participating SAML entities can consume each other's metadata. You need: