Immediate Action Recommended for Certain SSO Agent Deployments to Handle Google Chrome 80 Changes

Document created by RSA Product Team Employee on Feb 17, 2020Last modified by RSA Product Team Employee on Feb 17, 2020
Version 2Show Document
  • View in full screen mode

Summary:

On February 18, 2020, Google will slowly roll out a change to the cookie behavior in Google Chrome version 80 or later. This changed cookie behavior does not affect most RSA SecurID Access users. However, there is a possibility that users who have version 80 and authenticate to the RSA SecurID Access Application Portal might experience step-up authentication failure if the authentication session is longer than two minutes. This does not affect deployments that use RADIUS or relying parties.

 

If this issue affects your users, do the following:

 

  1. Update your identity router to 12.8.0.2.1. The identity router will not display OUT-OF-DATE status because this is a patch. For update instructions see Update Identity Router Software for a Cluster.
  2. Update your load balancer configuration if you have configured High Availability in your SSO Agent deployment and have configured both your load balancer to use the SPBALANCEID cookie for session persistence and SameSite to be enforced by the users' browsers. Modify your load balancer configuration to set SPBALANCEID as Secure and SameSite=None.

If you manage session persistence in another way, you do not need to make this load balancer change.

 

 

For additional information about the Google Chrome change, see https://chromereleases.googleblog.com/ and https://www.chromium.org/updates/same-site?pli=1#20200210.

 

For additional documentation, downloads, and more, visit the RSA SecurID Access page on RSA Link.

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Attachments

    Outcomes