Google Chrome has announced they are deprecating third-party cookies in 2024. This change might break PingFederate use cases based on iframe-based login widgets.

You can enable the Partitioned attribute for cookies set by PingFederate. This ensures that, when a cookie is created in a given context (such as an application using an embedded login widget), the cookie will continue to be readable within that same context.

This feature is controlled with a config-store file called global-cookie-config.xml, and is disabled by default.

  1. Go to <PF_installation>/server/default/data/config-store/globabl-cookie-config.xml.
  2. Change the enable-partitioned-cookies value to true.

    The file should now look like the following.

     <?xml version="1.0" encoding="UTF-8"?>
    <c:config xmlns:c="">
        <c:item name="enable-partitioned-cookies">true</c:item>
        <!--Partitioned cookie incompatible User-Agent exclusion list
        each listItem must be regex targeting specific User-Agent(s)-->
        <c:list name="partitioned-cookies-user-agent-exclusion"></c:list>
  3. Optional: Alternatively, you can make this change with the following REST call to PingFederate's administrative API.
    curl -u <username:password> -X 'PUT' \
      'https://<PF_host>/pf-admin-api/v1/configStore/global-cookie-config/enable-partitioned-cookies' \
      -H 'accept: application/json' \
      -H 'Content-Type: application/json' \
      -H 'X-XSRF-Header: PingFederate' \
      -d '{"id": "enable-partitioned-cookies", "type": "STRING", "stringValue": "true"}'
  4. Depending on the clustering mode of your deployment, either:
    • In a standalone environment, restart PingFederate.
    • In a clustered environment, replicate the PingFederate configuration.