- General Security Considerations
- Securing Network Communication
- Preventing Insecure HTTP and LDAP Connections
- Configuring AM Behind a Reverse Proxy
- Configuring CORS Support
- Configuring the Cookie Domain
- Cross-Site Request Forgery (CSRF) Protection
- Securing Administrative Access
- Securing Realms
- Configuring Secrets, Certificates, and Keys
- Features in AM That Use Keys
- Managing the AM Keystore
- Managing Key Aliases and Passwords
- Configuring Secret Stores
- Mapping and Rotating Secrets
- Changing Default Key Aliases
- Securing the Session Cookie
- Additional Cookie Security Considerations
- Securing Sessions
- Understanding Session Termination
- Configuring Account Lockout
- Configuring Session Quotas
- Configuring Client-Based Session Security
- Configuring Authentication Session Whitelisting
- Protecting Applications
- Setting Up Audit Logging
- About the Audit Logging Service
- Implementing the Audit Logging Service
- Configuring Audit Logging
- Configuring Audit Event Handlers
- Configuring the Trust Transaction Header System Property
- Implementing the Classic Logging Service
- Audit Logging Reference
- Customizing CTS-Based Session Quota Exhaustion Actions
Enabling SameSite Cookie Rules
For additional cookie security, enable support for applying SameSite cookie rules, as described in the internet-draft Cookies: HTTP State Management Mechanism.
You can configure the AM server to apply
SameSite cookie rules by navigating to Configure > Server Defaults > Advanced, and setting the
com.sun.identity.cookie.samesite property's value to one of the following:
Requests originating from different sites will not have cookies sent with them.
When this mode is enabled, any AM functionality that relies on requests being redirected back to the AM instance may not operate correctly. For example, OAuth 2.0 flows and SAML federation may not operate correctly if AM cannot access the required cookies.
Cookies received from different sites cannot be accessed, unless the request is using a top-level request, and uses a "safe" HTTP method, such as GET, HEAD, OPTIONS, or TRACE.
No restrictions on the domain of cookies is applied. This is the default setting.
You must disable
SameSitesupport if any of the following is true:
You have set
Access-Control-Allow-Credentials=truein your CORS configuration. For more information on configuring CORS in AM, see "Configuring CORS Support".
You are using SAML HTTP-POST bindings. For example, IDP-initiated single logout (SLO) functionality will not operate correctly if SameSite support is enabled, as the
iPlanetDirectoryProcookie would not be accessible in cross-domain POST requests. For more information on SAML single logout, see Implementing SSO and SLO.
Modern browsers only allow disabling
SameSiteif the cookie is marked as
Secure. If you need to handle cross-site requests with cookies, you should move to HTTPS-only environment.