Mitigate third-party cookie deprecation if your application is affected by it.
Google have announced their new third-party cookie deprecation policy for enhanced privacy protection. Note that this doesn’t mean blocking all third-party cookies but only the ones that don’t have partitioned cookie attribute.
If your Neo application is embedded in an iFrame element and supports OAuth 2.0, OIDC or SAML 2.0 authentication, some of the major authentication scenarios may be affected. For example:
- Authentication within a third-party context
- Single Sign-On (SSO) and Single Logout (SLO) between websites accessed in both first-party and third-party contexts
- Session sharing among first party and third party context.
To mitigate this, follow the steps below for enabling cookie partitioning. It allows you to maintain seamless authentication experiences across your applications even as third-party cookies are phased out.
For this mitigation, make sure your application users use a web browser that supports the following:
Cookie partitioning (such as Chrome 109 or higher, Edge 114 or higher, or Firefox 109 or higher).
Users of lower browser versions will not be affected (their scenarios will continue to work without change). However, they will not be able to benefit from the partitioned cookies we use either.
(For the OIDC and SAML 2.0 scenarios only) Opening a new tab/opening popups for the web site running the application. The OAuth 2.0 scenario works without tabs/popups enabled.
-
Set the required property/attribute as follows.
-
Java Application: Add the system property
-Dcom.sap.cloud.security.3pc.partitioning.enabled=true. How to set the property:- During deployment: pass it as
--vm-argumentsparameter value to the rolling-update or deploy command. - After deployment: use the set-application-property command and restart the application.
This enables cookie partitioning for all mentioned scenarios (OAuth 2.0, OIDC and SAML 2.0) at the same time. Note that you cannot have it enabled for only some of the scenarios.
- During deployment: pass it as
-
HTML5 Application: Add the attribute
sessionReuse: truein theneo-app.jsonfile and re-deploy the application. See Application Descriptor File.
-
-
Make sure the application users delete the cookies in their web browsers. Either inform them to do so or provide a mechanism for cookie deletion.
Authentication scenarios continue functioning even when browsers reject third-party cookies.
The session in the third-party context (within the iFrame) is maintained using partitioned cookies, which are allowed by the CHIPS specification as a replacement mechanism for deprecated third-party cookies.
If you need to revert this mitigtion for some reason, re-deploy using rolling-update or deploy command without the above system property, and make sure the application users delete browser cookies again.
Related Information