PingFederate Server

Enabling partitioned cookies

The Partitioned attribute allows cookies to always be readable within the same context.

About this task

Google Chrome has announced they are deprecating third-party cookies in 2024. This change might break PingFederate use cases based on iframe-based login widgets.

You can enable the Partitioned attribute for cookies set by PingFederate. This ensures that, when a cookie is created in a given context (such as an application using an embedded login widget), the cookie will continue to be readable within that same context.

This feature is controlled with a config-store file called global-cookie-config.xml, and is disabled by default.

Steps

  1. Go to <PF_installation>/server/default/data/config-store/globabl-cookie-config.xml.

  2. Change the enable-partitioned-cookies value to true.

    The file should now look like the following.

     <?xml version="1.0" encoding="UTF-8"?>
    <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
        <c:item name="enable-partitioned-cookies">true</c:item>
        <!--Partitioned cookie incompatible User-Agent exclusion list
        each listItem must be regex targeting specific User-Agent(s)-->
        <c:list name="partitioned-cookies-user-agent-exclusion"></c:list>
    </c:config>
  3. Optional: Alternatively, you can make this change with the following REST call to PingFederate’s administrative API.

    curl -u <username:password> -X 'PUT' \
      'https://<PF_host>/pf-admin-api/v1/configStore/global-cookie-config/enable-partitioned-cookies' \
      -H 'accept: application/json' \
      -H 'Content-Type: application/json' \
      -H 'X-XSRF-Header: PingFederate' \
      -d '{"id": "enable-partitioned-cookies", "type": "STRING", "stringValue": "true"}'
  4. Depending on the clustering mode of your deployment, either:

    Choose from:

    • In a standalone environment, restart PingFederate.

    • In a clustered environment, replicate the PingFederate configuration.