Improve Single-Sign-On Redirect for SameSite=Lax and SameSite=Strict

[jzheaux]

Lax + POST mitigation as well as the following Spring Security tickets:

• Change the default implementation of Saml2AuthenticationRequestRepository to store and load AuthnRequests based on the ID instead of the session #14013
• Receive AuthnRequest Id and Response InResponseTo in Saml2AuthenticationRequestRepository #11468

explain some of the difficulties around using SameSite=Lax or SameSite=Strict when using SSO technologies like SAML and others that redirect with a POST.

There are a few ways to consider:

• Provide an implementation of CookieSameSiteSupplier that writes the session cookie as SameSite=None pre-login and as SameSite=Strict post-login (Boot-specific solution)

• Have the session cookie always be SameSite=None and introduce a SameSite=Strict correlation cookie when authentication succeeds. The correlation cookie has a secure random value that must match a certain session attribute, lest the session be invalidated.

• Add a separate SameSite=None cookie whose opaque token references pre-login information, the opaque token could be the RelayState. It would be created when login begins and destroyed when login completes either successfully or unsuccessfully.

• Use the Artifact binding instead (SAML-specific). Such allows the redirect from the IdP to be a GET instead of a POST.

[jzheaux]

Boot applications can achieve the first bullet by doing:

private static final String NAME = Authentication.class.getName();

@EventListener
public void onAuthenticationSuccess(AuthenticationSuccessEvent event) {
    RequestAttributes attributes = RequestContextHolder.currentRequestAttributes();
    attributes.setAttribute(NAME, event.getAuthentication(), RequestAttributes.SCOPE_REQUEST);
}

@Bean
public CookieSameSiteSupplier authenticationBased() {
    CookieSameSiteSupplier supplier = (cookie) -> {
        RequestAttributes attributes = RequestContextHolder.currentRequestAttributes();
        Authentication authentication = (Authentication) attributes.getAttribute(NAME, RequestAttributes.SCOPE_REQUEST);
        return (authentication == null || !authentication.isAuthenticated()) ?
                Cookie.SameSite.NONE : Cookie.SameSite.STRICT;
    };
    return supplier.whenHasName("JSESSIONID");
}

[skshitiz-vmw]

To add one scenario related to the first bullet:
if we try to set Cookie.SameSite as none in http application (not https secure), we will get ERR_TOO_MANY_REDIRECTS as the application will redirect too many times because Cookie.Secure = true won't work until the application uses https, not http.

[VivionLin]

My project is using 3.2.5. The CookieSameSiteSupplier not work for me because Saml2WebSsoAuthenticationRequestFilter finally uses CookieHttpSessionIdResolver and then DefaultCookieSerializer to write the session cookie.

[EkaLinMan]

Hi @jzheaux, our team plans to use the SameSite=Strict policy to protect our application, and we’d be grateful if you could provide some insights on the following questions:

• Is there a planned timeline for releasing this improvement mentioned in this issue?

• This issue seems to primarily focus on SSO. Would it be possible to expand the scope to also support the SLO feature? Please correct me if I’m mistaken, but if the logout request is initiated by the asserting party, the Saml2LogoutRequestFilter retrieves the authentication from securityContextHolderStrategy. However, I believe this does not work under the SameSite=Strict policy.

• Under the SameSite=Strict policy, it seems that Spring Security 6.5 introduced CacheSaml2AuthenticationRequestRepository to support login. Is there any recommended approach for handling AP-initiated logout in this context?

Thanks for your help!

[ojacquemart]

hi @jzheaux,

first, thanks for all the great work done in the recent spring security versions. ☺️
would you have any news about that issue?

thanks in advance ☺️