Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

OIDC flow or SAML2 federation stops working after applying SameSite Cookie patch or upgrading to AM 5.5.2, 6.5.2.3, 6.5.3 or 7.x

Last updated Feb 24, 2021

The purpose of this article is to provide assistance if the OIDC flow or SAML2 federation stops working after applying the SameSite Cookie patch or upgrading to a version that includes it.


Symptoms

You will notice issues with the OIDC flow failing or SAML2 federation failing.

OIDC flow

The OIDC flow fails when you reach the /openam?state endpoint in your browser and does not progress beyond this page. Your browser may just show a Loading... message when this happens.

You will also notice one of the following symptoms if you examine network traffic using your browser's Developer Tools or capture a HAR file:

  • The sessions?_action=getSessionInfo endpoint returns a 401 Unauthorized response and the favicon.ico endpoint may return a 502 Bad Gateway response.
  • The sessions?_action=getSessionInfo endpoint returns a 200 OK response but keeps redirecting to the favicon.ico endpoint and then back to the sessions?_action=getSessionInfo endpoint thereby creating a redirect loop.

You will also notice the ORIG_URL cookie value is either truncated, is not enclosed in double quotes ("") or, if it is enclosed in double quotes, they are not escaped. For example, it looks similar to this when it is not escaped:

{     "name": "ORIG_URL",     "value": "/openam?realm= ...

For comparison, the same cookie value looks like this when it is escaped (and works as expected):

{     "name": "ORIG_URL",     "value": "\"/openam?realm= ...

You can capture a HAR file as described in: How do I create a HAR file for troubleshooting AM (All versions)?

SAML2 Federation (Pre-AM 6.5.3)

You will notice the authenticationStep cookie value is not escaped:

{     "name": "authenticationStep",       "value": "/openam?realm= ...

For comparison, the same cookie value looks like this when it is escaped (and works as expected):

{     "name": "authenticationStep",      "value": "\"/openam?realm= ...

Recent Changes

Installed the SameSite Cookie Support Patch, or upgraded/installed a version that includes it (AM 5.5.2, AM 6.5.2.3, AM 6.5.3 or AM 7.x).

Set the following cookie settings:

com.iplanet.am.cookie.secure=true  com.sun.identity.cookie.httponly=true

Causes

The SameSite Cookie Support Patch and later releases add a new filter that sets the SameSite=None attribute for all secure AM cookies on compatible browsers. See SameSite cookie support in AM and IG for further information.

When this new filter is used, cookie values are not escaped, which can affect how they are parsed in some versions of Apache Tomcat™:

  • OIDC flow: the ORIG_URL is seen as a cookie by some authentication modules (such as OAuth2 and Adaptive Risk) and also in the OAuth2 proxy code. When this new filter is used, the ORIG_URL is truncated or not escaped.
  • SAML2 federation: the authenticationStep cookie is not escaped. This is a known issue in pre-AM 6.5.3: OPENAM-16161 ("same site patch" breaks SAML2 integrated mode on Apache Tomcat 7).

Solution

This issue can be resolved as follows depending on what functionality is affected:

  • OIDC Flow - enable the Encode Cookie Value setting as described below.
  • SAML2 federation - upgrade to AM 6.5.3 or later; you can download this from BackStage. As a workaround, you can enable the Encode Cookie Value setting as described below.

Encode Cookie Values

Enabling the Encode Cookie Value setting ensures all cookies are Base64url encoded, which ensures they are escaped properly.

You can enable this setting using either the console, Amster or ssoadm:

  • Console: navigate to: Deployment > Servers > [Server Name] > Security > Cookies and enable Encode Cookie Value.
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: SecurityProperties
    • Property: com.iplanet.am.cookie.encode
  • ssoadm: enter the following command: $ ./ssoadm update-server-cfg -u [adminID] -f [passwordfile] -s [server] -a com.iplanet.am.cookie.encode=true replacing [adminID], [passwordfile] and [server] with appropriate values.
Note

You must restart the web application container in which AM runs to apply these configuration changes.

See Also

SameSite cookie support in AM and IG

6.5.3 › Release Notes › Fixed Issues

Related Training

N/A

Related Issue Tracker IDs

OPENAM-16161 ("same site patch" breaks SAML2 integrated mode on Apache Tomcat 7)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.