SameSite cookie rules
For additional cookie security, enable support for applying SameSite cookie rules, as described in the internet-draft Cookies: HTTP State Management Mechanism.
You can configure the AM server to apply
SameSite cookie rules by navigating to
Configure > Server Defaults > Advanced, and setting the
com.sun.identity.cookie.samesite property’s value
to one of the following:
Requests originating from different sites will not have cookies sent with them.
When this mode is enabled, any AM functionality that relies on requests being redirected back to the AM instance may not operate correctly. For example, OAuth 2.0 flows and SAML federation may not operate correctly if AM cannot access the required cookies.
Cookies received from different sites cannot be accessed, unless the request is using a top-level request, and uses a "safe" HTTP method, such as GET, HEAD, OPTIONS, or TRACE.
No restrictions on the domain of cookies is applied. This is the default setting.
You must disable
SameSitesupport if any of the following is true:
You have set
Access-Control-Allow-Credentials=truein your CORS configuration.
For more information on configuring CORS in AM, refer to Configure CORS support.
You are using SAML HTTP-POST bindings.
For example, IDP-initiated single logout (SLO) functionality will not operate correctly if SameSite support is enabled, as the
iPlanetDirectoryProcookie would not be accessible in cross-domain POST requests. For more information on SAML single logout, refer to Implement SSO and SLO.
Modern browsers only allow disabling