Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
ValAtanassov
Product and Topic Expert
Product and Topic Expert
2,995

Action:

As of May 22, 2023 the Storage Access API is available for all SAP Cloud Identity Services tenants.

We recommend you to test your application. For more information, see Testing Your Solution For Breakage

 

Background

A while ago Google announced the deprecation of third-party cookies for the Chrome-based browsers (Prepare for third-party cookie restrictions ). Starting Q1 2024, 1% of all browsers already have their third party cookies usage deprecated with the goal to completely phase out the old way of using cookies by mid-Q3 2024.

The Affected

As a result, certain sign-in scenarios concerning Single Sign-On (SSO) may be affected. Deprecating the traditional way of cookie usage means that browsers will automatically block cookies from applications embedded in inline frame (iframe), for example, thus braking sign-in flows. As Identity Authentication is often embedded on top-level pages, it had to ensure the SSO flow will continue to function. There are a couple of solutions that the administrators can implement after the start of the deprecation period.

The Solutions

Cookies Having Independent Partitioned State (CHIPS)

In this scenario, embedded applications can set partitioned cookies that can be used only on the current top-level site. The implementation of CHIPS depends on the developers of the given applications. The application has to be extended to support it. You can read more about that in Cookies Having Independent Partitioned State (CHIPS).

Storage Access API

This is also what Identity Authentication currently uses and supports. Read more at Storage Access API.

In the typical sign-in flow, the embedded application requests storage access permissions to the browser. Upon sign-in attempt, the user sees the following message: Screenshot 2024-04-02 at 10.41.14.pngOnce Continue is chosen, a request is triggered, asking the browser to present the possibility to allow access to cookies. The prompt is similar to the one below:Screenshot 2024-04-02 at 10.50.17.png
If access is allowed, the sign-in flow continues.

If denied, the sign-in flow of the embedded Identity Authentication sign-in screen is broken and no signing in is possible. The user sees the following message:Screenshot 2024-04-02 at 10.42.53.png

In another scenario, Identity Authentication can be used in a pure proxy mode. In this situation the browser of the user might have never interacted with the SAP (ondemand.com) domain. As a result, the browser blocks the iframed domain until the user interacts with it separately on a top-level.

To resolve this, Identity Authentication redirects the users to a separate page, where they have to perform some kind of interaction, so that the top-level domain of the page is considered "familiar" to the browser. This interaction is as simple as the confirmation to the message below:
Screenshot 2024-04-02 at 10.43.06.png
In some situations this might cause confusion, since with the proxy mode configuration the users might not even know they are signing in via Identity Authentication, or that SAP is involved in the sign-in flow at all. However, there was no other option to work around the limitation than sending the user to a separate confirmation page. Once the interaction is done, the users no longer need to perform this step.

Deprecation Trial

Google Offering

For customers that would require more time to implement changes on their application, Google offers a grace period. During this grace period, an opt-out of the new way of handling cookies is possible. Customers can obtain their deprecation trial tokens from Google upon request. You can read more at Preserving critical user experiences.

Identity Authentication Solution

Identity Authentication supports such scenarios allowing customers to add their deprecation trial tokens so that they are sent via an HTTP header. This ensures that Identity Authentication customers with custom domains can use the deprecation trial for those domains respectively. The field to input the token is situated on the same place in the Identity Authentication admin console, where the custom domains are configured:
 ValAtanassov_9-1712238187712.png

We will update this article if new updates or scenarios that we have not covered appear.

2 Comments