SAML CSRF token not consistently sent with SAMLResponse when network.cookie.sameSite.laxByDefault is true in Firefox

XMLWordPrintable

    • Type: Bug
    • Resolution: Incorrectly Filed
    • Priority: Low
    • Component/s: IdP SSO - User Login
    • None
    • 1
    • Severity 3 - Minor

      Issue Summary

      SAML SSO logins via Firefox intermittently fail with error SAML+Request+was+not+initiated+by+the+service when network.cookie.sameSite.laxByDefault is set to true. This issue can be avoided by explicitly setting the SameSite value for saml.csrf.token cookies.

      Steps to Reproduce

      1. In Firefox, edit about:config and set network.cookie.sameSite.laxByDefault to true
      2. Navigate to an Atlassian URL in an unauthenticated state
      3. Get redirected to id.atlassian.com
      4. Enter the email of an account that's assigned to an SSO-enforced authentication policy and click Continue
      5. Authenticate via your identity provider and get passed back to Atlassian.

      Expected Results

      User is successfully authenticated and returned to the Atlassian URL they were attempting to access in Step 2.

      Actual Results

      The SSO login attempt fails with the SAML+Request+was+not+initiated+by+the+service error in the URL of the error page because the saml.csrf.token cookie is not sent with the cross-site SAMLResponse from the IdP.

      Workaround

      There are two workarounds available:

      • Edit the about:config for Firefox and set network.cookie.sameSite.laxByDefault to false (matching the browser default value)
      • Edit the about:config for Firefox and add auth.atlassian.com as a value for network.cookie.sameSite.laxByDefault.disabledHosts

            Assignee:
            Unassigned
            Reporter:
            John A [Atlassian Support]
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: