Issue Summary

SAML SSO logins via Firefox intermittently fail with error SAML+Request+was+not+initiated+by+the+service when network.cookie.sameSite.laxByDefault is set to true. This issue can be avoided by explicitly setting the SameSite value for saml.csrf.token cookies.

Steps to Reproduce

1. In Firefox, edit about:config and set network.cookie.sameSite.laxByDefault to true
2. Navigate to an Atlassian URL in an unauthenticated state
3. Get redirected to id.atlassian.com
4. Enter the email of an account that's assigned to an SSO-enforced authentication policy and click Continue
5. Authenticate via your identity provider and get passed back to Atlassian.

Expected Results

User is successfully authenticated and returned to the Atlassian URL they were attempting to access in Step 2.

Actual Results

The SSO login attempt fails with the SAML+Request+was+not+initiated+by+the+service error in the URL of the error page because the saml.csrf.token cookie is not sent with the cross-site SAMLResponse from the IdP.

Workaround

There are two workarounds available:

• Edit the about:config for Firefox and set network.cookie.sameSite.laxByDefault to false (matching the browser default value)
• Edit the about:config for Firefox and add auth.atlassian.com as a value for network.cookie.sameSite.laxByDefault.disabledHosts