SameSite cookies (TIH as of v1.67)

As of The Idenitity Hub v 1.67 cookies set by the Identity Hub will have the SameSite mode set by The Identity Hub and no longer require an outbound rule.
The default used is SameSite.Lax where applicable.
Additionally cookie prefixes are applied to better clarify the intended usage of cookies (__Host-, __Secure-)

SameSite cookies (TIH prior to v1.67)

As of February 2020 a new RFC will take effect as browsers start to roll-out their implementation of the new default behavior by treating cookies which do not specify SameSite by default as Lax.
Chrome and browsers based on chromium are announced to roll out first.

In respect to this The Identity Hub, which requires some cookies to be sent cross site, might experience problems.
To mitigate this problem, and during the migration phase, we advise you to opt-out of the new behavior by specifying an outbound rule in the web.config of your installation of The Identity Hub.
Applying this outbound rule does not require a new installation of The Identity Hub, as cookies set by The Identity Hub are already marked Secure.

However, as the changes to the RFC are not backwards compatible, older browsers which do not recognize the SameSite=None option might no longer work.
For a list of non-compatible browsers, please check this link.
We recommend your users to upgrade to newer versions of their preferred browser.
In case you do require the outbound rule to be browser specific, it is possible to add a condition to the outbound rule to take the user agent into account. See below

If you are using our ASPNET SDK to connect apps to The Identity Hub, you can find the latest version of the SDK here.
Please note that we updated the version number and you will need to apply the necessary changes to the config file of the app. See below

We will continue to monitor both browser upgrades and 3rd party components, used by The Identity Hub, to see how they progress with the new standard,
and roll out a new version of The Identity Hub restricting cookies on a more individual level as soon as we see fit.

How to apply a global outbound rule to specify SameSite=None to all cookies set by The Identity Hub

1. In the root folder of The Identity Hub installation open your web.config file
2. Navigate to the section specifying outbound rules

  <system.webServer>
    <rewrite>
      <outboundRules>

3. Right-below the last specified outbound rule copy and paste the below in the outboundRules node:

        <rule name="Add SameSite None" preCondition="No SameSite">
          <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
          <action type="Rewrite" value="{R:0}; SameSite=None" />
          <conditions>
          </conditions>
        </rule>
        <preConditions>
          <preCondition name="No SameSite" logicalGrouping="MatchAll">
            <add input="{RESPONSE_Set_Cookie}" pattern="." />
            <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=" negate="true" />
          </preCondition>
        </preConditions>

4. Save your web.config
5. In case you have multiple instances running, repeat this for all instances

How to exclude an incompatible browser

Older browsers which do not recognize SameSite=None and implement the earlier RFC will treat the value as Strict.
This will prohibit cookies to be sent cross site (e.g. SP to IDP communication).
For these browsers you can prevent that the outbound rule will set the SameSite=None by excluding them in the conditions, checked after the precondition.

Sample for iPad or iPhone with iOS 12

1. In the conditions of the rule with name="Add SameSite None", set:

          <conditions logicalGrouping="MatchAll">
            <add input="{HTTP_USER_AGENT}" pattern=".*iP.*OS 12.*" negate="true"/>
          </conditions>

Note

As this is an exclude rule, notice the negate="true"

How to update the ASPNET SDK

As the version number of our ASPNET SDK is raised to 2.0.0.0, please note that, after installing the new package, you will also need to update the following in the config file of your web app using our SDK:

    <system.webServer>
        <modules>
            <!-- THE IDENTITY HUB SPECIFIC CONFIG -->
            <remove name="FormsAuthentication" />
            <add name="HubAuthenticationModule" type="TheIdentityHub.HubAuthenticationModule, TheIdentityHub, Version=2.0.0.0, Culture=neutral, PublicKeyToken=25fd43e98a2121e5" />
        </modules>
    </system.webServer>

Note

The SDK now depends on .NET 4.7.2

If upgrading the ASPNET SDK is not an option, you can consider applying the above outbound rule in the web.config of your web application.