OpenStack Identity (keystone)

SAML authentication fails when SAMESITE cookies are used

Bug #2076259 reported by Jack Hodgkiss on 2024-08-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	New	Undecided	Unassigned

Bug Description

It has been noticed that SAML authentication fails during the postResponse stage of SAML authentication the error presented to the user is

```
Bad Request
Your browser sent a request that this server could not understand.
```

When enabling debugging of Apache2 Mellon (/etc/apache2/mods-enabled/auth_mellon.conf)

```
MellonDiagnosticsFile /var/log/apache2/mellon_diagnostics.log
MellonDiagnosticsEnable On
```

and looking in `/var/log/apache2/mellon_diagnostics.log` you can see failed requests with the following error.

```
User has disabled cookies, or has lost the cookie before returning from the SAML2 login server.
```

Upon closer inspection it is clear the `mellon-cookie` is missing as it should be created before being redirected to the SAML IdP. However, in Google Chrome, this cookie is not being created hence the error above.

Users can manually create the cookie via developer tools however this not appropriate solution. A temporary solution has been to edit `/etc/apache2/mods-enabled/auth_mellon.conf` with the following

```
SetEnv MELLON_DISABLE_SAMESITE 1
```

Which has resolved the issue at the cost of disabling SAMESITE cookies.

This problem has been noticed after Zed upgrades and has persisted after an Antelope upgrade.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.