Since Internet Explorer is EOL we have configured most of our LOB apps including SRM OCI Punch out shops to work in Compatible mode by adding respective shop urls it to the IE Mode list. This will ensure business continuity whiles we look for a long term solution. Upon doing this we stumbled upon a problem i.e. seamless login doesn't seem to work in Edge chromium even though the site renders as expected after configuration. The sites keeps asking for username and password or credentials are not working even though when reproduced in IE works as expected.
After inspecting the session traffic via Edge F12 tools could it be that it is not possible to share session cookies ids etc. between IE and Edge until you instruct both browsers to do so in the configuration file?
Will there be a need to add snippet in the ie--mode .xml file instructing both browsers to allow this or configured via the Server or SAP backend? Recommendations and workarounds will be appreciated.
timea.geczi Below will be my proposed workaround as a sys admin to the various stakeholders.
The issue can be attributed to a security change in modern browsers, specifically Chromium, where a new feature has been introduced that flags all cross-browser requests as SameSite=lax, rather than SameSite=None as was the case in previous browsers. This flag is enabled regardless of whether protection against CSRF has been enabled on the server side. According to SAP, this protection is enabled by default on the server side. You can find more information in the following article. https://blogs.sap.com/2020/02/14/handling-google-chrome-samesite-cookie-change-in-sap-on-prem-applic...
SOFTWARE\Policies\Microsoft\Edge\LegacySameSiteCookieBehaviorEnabledForDomainList\1 = "www.example.com"
SOFTWARE\Policies\Microsoft\Edge\LegacySameSiteCookieBehaviorEnabledForDomainList\2 = "[*.]example.edu"
3. Hardening Firefox ESR and testing afterwards? Since many webshops, intranets and extranets work in conjunction with the SAP Portal Single Sign On solution in (Edge -> IE compatible mode), I think an interim solution with the above setting is not a bad idea.Let me know what you think of this as a proposal to various SRM OCI Punchshop etc. stakeholders.
Indeed, the issue is caused by the changed SameSite behavior of latest Chrome/Edge browsers.
The details and the solution has been described in SAP Note 2887651 (see the server-side solution).
The server-side solution reverts to the previous behavior by explicitly setting the SameSite=None and Secure attribute to all cookies issued by the SAP system.