yahoo-eng-team team mailing list archive

Thread
Date

[Bug 2076259] Re: SAML authentication fails when SAMESITE cookies are used

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Alan Baghumian <2076259@xxxxxxxxxxxxxxxxxx>
Date: Wed, 18 Jun 2025 15:26:09 -0000
Reply-to: Bug 2076259 <2076259@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This issue has been resolved in the latest release of keystone-saml-
mellon charm.

The allow-cross-site-cookies configuration option provides this (1).


(1) https://charmhub.io/keystone-saml-mellon/configurations




** Also affects: charm-keystone-saml-mellon
   Importance: Undecided
       Status: New

** Changed in: keystone
       Status: New => Invalid

** Changed in: charm-keystone-saml-mellon
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2076259

Title:
  SAML authentication fails when SAMESITE cookies are used

Status in OpenStack Keystone SAML Mellon Charm:
  Fix Released
Status in OpenStack Identity (keystone):
  Invalid

Bug description:
  It has been noticed that SAML authentication fails during the
  postResponse stage of SAML authentication the error presented to the
  user is

  ```
  Bad Request
  Your browser sent a request that this server could not understand.
  ```

  When enabling debugging of Apache2 Mellon (/etc/apache2/mods-
  enabled/auth_mellon.conf)

  ```
  MellonDiagnosticsFile /var/log/apache2/mellon_diagnostics.log
  MellonDiagnosticsEnable On
  ```

  and looking in `/var/log/apache2/mellon_diagnostics.log` you can see
  failed requests with the following error.

  ```
  User has disabled cookies, or has lost the cookie before returning from the SAML2 login server.
  ```

  Upon closer inspection it is clear the `mellon-cookie` is missing as
  it should be created before being redirected to the SAML IdP. However,
  in Google Chrome, this cookie is not being created hence the error
  above.

  Users can manually create the cookie via developer tools however this
  not appropriate solution. A temporary solution has been to edit
  `/etc/apache2/mods-enabled/auth_mellon.conf` with the following

  ```
  SetEnv MELLON_DISABLE_SAMESITE 1
  ```

  Which has resolved the issue at the cost of disabling SAMESITE
  cookies.

  
  This problem has been noticed after Zed upgrades and has persisted after an Antelope upgrade.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-keystone-saml-mellon/+bug/2076259/+subscriptions

References

[Bug 2076259] [NEW] SAML authentication fails when SAMESITE cookies are used
From: Jack Hodgkiss, 2024-08-07