The SAML 2.0 protocol binding requires that for receiving an assertion the IdP performs a HTTP POST to the url (Assertion Consumer Service) of the SP. This HTTP POST is initiated on the IdP (SURFconext in this case) and processed on the SP (see: SAML authentication flow).
Some browsers (notably Chrome) limit what cookies will be sent when performing a POST from one website to the other. If the service provider requires its own (session, state) cookie(s) to be present when receiving the assertion POST, it needs to set the correct cookie flags in order for Chome to send the cookie:
- The "secure" flag needs to be enabled.
- The "SameSite" attribute needs to be set to "None".
If you do not set these cookie attributes, cookies may be omitted by those browsers. This can lead to "Session Lost" or "State Information Lost" type of errors for end users. As an extra complication, Chrome can vary this behaviour depending on how long it took the user to perform the authentication, which makes it more challenging to reproduce.
Standard SP software that requires session cookies provides a way to set these cookies to the correct value.
Read more for several products:
- SimpleSAMLphp State Information Lost
- Okta "SameSite by default" FAQ
- Mod Auth Mellon (search for SameSite)