SameSite cookie rules
For additional cookie security, enable support for applying SameSite cookie rules, as described in the internet-draft Cookies: HTTP State Management Mechanism.
You can configure the AM server to apply SameSite
cookie rules by navigating to
Configure > Server Defaults > Advanced, and setting the com.sun.identity.cookie.samesite
property’s value
to one of the following:
strict
-
Requests originating from different sites will not have cookies sent with them.
When this mode is enabled, any AM functionality that relies on requests being redirected back to the AM instance may not operate correctly. For example, OAuth 2.0 flows and SAML federation may not operate correctly if AM cannot access the required cookies.
lax
-
Cookies received from different sites cannot be accessed, unless the request is using a top-level request, and uses a "safe" HTTP method, such as GET, HEAD, OPTIONS, or TRACE.
off
-
No restrictions on the domain of cookies is applied. This is the default setting.
You must disable
SameSite
support if any of the following is true:-
You have set
Access-Control-Allow-Credentials=true
in your CORS configuration.For more information on configuring CORS in AM, see Configure CORS support.
-
You are using SAML HTTP-POST bindings.
For example, IDP-initiated single logout (SLO) functionality will not operate correctly if SameSite support is enabled, as the
iPlanetDirectoryPro
cookie would not be accessible in cross-domain POST requests. For more information on SAML single logout, see Implement SSO and SLO.
-
Modern browsers only allow disabling |