This newsletter will bring you information about new developments regarding SURFconext, plans for the future, tips and tricks and will appear on an irregular basis.

Who receives this newsletter?
All technical and administrative contacts of a service connected to SURFconext will receive this newsletter. Subscribe here and unsubscribe here.

For an overview of all mailings by the SURFconext team, see the following page.

In this edition:

1.    New Chrome version changes the way it treats cookies
2.    Heads-up: SURFsecureID key rollover
3.    Keep your security up to date and remove TLS 1.0 and TLS 1.1
4.    Customer satisfaction
5.    SP Dashboard: let us know what you think

Chrome changes the way it treats cookies

As of version 80 of Chrome, that will be released the 4th of February, Chrome changes the way it treats cookies. In particular, it will set a new default for the SameSite parameter in cookies. It's important to review your software and make sure you're not affected by this new behaviour, since it could potentially break the SURFconext login.

Before Chrome 80, the default was "SameSite=none". The new default is "SameSite=lax". Furthermore, cookies that have explicitly set this attribute also need to have set the "secure" parameter. These parameter changes could potentially break SAML implementations that have not set those particular attributes on their cookies.

We have published documentation that includes some background information and potential mitigating measures.

Heads-up: SURFsecureID key rollover

SURFsecureID will migrate to a new signing key because the current one is almost 5 years old and will expire.

If your service is connected to SURFsecureID, you will need to take action. Otherwise users will not be able to log in to your service any more. Most SP's can change their SAML connection from SURFsecureID to SURFconext (and we'll enable SURFsecureID there). Others will need to import new SURFsecureID metadata containing the new signing key. We're working out the details, so you can read this message as a heads-up.

We will contact each SP directly via an email to their registered contact email address with more detailed instructions. SURFconext support is available for any questions or assistance at support@surfconext.nl.

Keep your security up to date and remove TLS 1.0 and TLS 1.1

You need to keep traffic to your service secure so users can logon safely. If you support the protocols TLS 1.0 and TLS 1.1 you need disable these and start supporting TLS 1.2.

There are no fixes or patches that can adequately fix SSL or deprecated TLS versions to keep user data safe. It is important that you upgrade as soon as possible. Support for TLS 1.0 and TLS 1.1 will be removed from browsers early 2020 so users will be locked out of your service if secure versions are not supported. When you were connected to SURFconext we assessed your security measures and rated your service by using SSL Labs. A+ is the highest possible rating. This rating is subject to decay and will go down in February and will be at most B if you still support TLS 1.0 and TLS 1.1. If this drops below B we will be in touch.

Consult the SSL Labs website for an overview of compatible user agents and compatibility with the secure TLS 1.2. Read our wiki on how to keep an A rating (or higher!).

Customer satisfaction

With 141 fully completed questionnaires (99 SP, 42 IdP), the response of the last SURFconext customer satisfaction survey was above expectation. Thank you all very much for filling in the questionnaire.

Outcomes

As was the case last time, the majority of the respondents are satisfied with SURFconext. This is shown by the nice report figures. At the same time, we can see that there is room for improvement. You mentioned a number of specific topics, such as a more straightforward connection process, more self-service, and integration with other SURF services.

What is the next step?

We will be using the coming period to convert these topics into concrete plans. Many of the topics mentioned are already on the list, but this survey will enable us to better prioritise them.

SP Dashboard: let us know what you think

If you are currently working with the SP Dashboard, and you miss out on features or see things that could be improved, please let us know at support@surfconext.nl. In the coming months we will be working on SP Dashboard. Your input allows us to better assess which topics should will be added first.

The SURFconext Service Provider Dashboard enables you to manage your service(s) on the SURFconext platform. It allows you to create, test and edit entities before promoting them to production.