Discuss acceptable use cases for site usage of CNAMEs about meetings HOT 9 OPEN

Yeah, that would be great. @erik-anderson can you help us with that?

from meetings.

Based on the discussion on the last call, I think it was made clear that CNAMEs are not a viable solution. Specifically Safari, and Samsung browsers are already placing restrictions; so we need to find alternative solutions for this use-case.

A somewhat naive question that I have for the identity folks (perhaps @hlflanagan @gffletch or @samuelgoto can help with this) is - as a long-term solution, would you consider having rp.com embed an iframe to rp.idp.com and perform the login flow within the iframe? Are there security/other considerations that make this undesirable?

from meetings.

@samuelgoto This is definitely not a viable option from a Samsung Internet perspective. @krgovind if the rp.idp.com iframe is embedded in rp.com wouldn't the original issue still stand? i.e. rp.idp.com will still need to use 3rd party cookies to manage user sessions after login on rp.com since they're not SameSite. Or have I missed something here?

from meetings.

Thanks Sam for filing this issue! Do you want to discuss this during Thursday's teleconference?

from meetings.

"A company, say rp.com, hires the services of another company, say idp.com, to host and manage its authentication system, typically giving them a rp.idp.com subdomain." is a common pattern, yes. As I understand it, CNAMEs are complicated to maintain; doable, but less common.

from meetings.

One concern I have is that requiring CNAMEs to solve this problem seems overly prescriptive. There are additional complications that come with using the CNAME solution that many RPs do not see as being necessary (e.g. certificate management).

from meetings.

One concern I have is that requiring CNAMEs to solve this problem seems overly prescriptive. There are additional complications that come with using the CNAME solution that many RPs do not see as being necessary (e.g. certificate management).

I'd like to focus/narrow this issue/discussion on whether CNAMES is a viable option (as far as browsers are concerned) before assessing whether that's a good idea (as far as IDPs are concerned). If the result to viable comes back as negative, it doesn't matter whether this is a good idea or not. If it is viable, its merits can be compared against other alternatives, rather than in isolation.

from meetings.

@krgovind if the rp.idp.com iframe is embedded in rp.com wouldn't the original issue still stand? i.e. rp.idp.com will still need to use 3rd party cookies to manage user sessions after login on rp.com since they're not SameSite. Or have I missed something here?

@lolaodelola - Indeed. We would recommend the iframe use partitioned cross-site cookies. For example, Chrome is experimenting with a new Partitioned attribute (blog post). Partitioned state prevents cross-site tracking via state-based mechanisms.

from meetings.

would you consider having rp.com embed an iframe to rp.idp.com and perform the login flow within the iframe?

Ah, interesting question. I do believe that, in the case when the rp.idp.com is providing a service to rp.com, that rp.idp.com would be possible to be embedded into rp.com and take authentication credentials in it (e.g. usernames/passwords).

I don't think this is common, so there is probably something I'm missing here, but I can ask around to check what I'm getting wrong.

from meetings.