Starting February 17, 2020, the Chrome browser will start rolling out enforcement of security settings that may cause various web applications to behave in errant ways. These settings involve the SameSite cookie attribute which alters when browsers are supposed to send cookies to the server.  A Technical Notice has been distributed for the Web Client (link) with regards to the same changes.

Impacted Authentication Components

The set cookie changes that are affected by the browser behavior addressed in this post will effect the OnBase Identity Provider (IdP) used with OnBase 17 and OnBase 18 as well as the Hyland Identity Provider (IdP) used with OnBase Foundation EP1 and higher.

Solutions

The current solution for both components is to use the Url Rewrite module for Internet Information Services (IIS) to modify the cookies before the browser receives them. The Url Rewrite module in IIS is used to modify incoming requests and outbound responses. It can modify almost any aspect of a request or response, including headers. This means that set-cookie headers can also be modified.

Installing Url Rewrite

Url Rewrite is not a module that comes natively with IIS. You will need to download and install it on your web server hosting the Identity Provider. It can be found here for download. Run the installer on your web server to install the module and then restart IIS. If you have the IIS Manager open, you will need to close and reopen it to see the URL Rewrite icon.

Modifying web.configs for Url Rewrite

The following Url Rewrite configuration XML can be copied and pasted into the /configuration/system.webserver node of the respective web.config configuration files.

After saving changes to the web.config, restart the web application's application pool.

The rules described below will cause Url Rewrite to modify cookies that match various patterns by adding the appropriate SameSite attribute. All the rules have conditions that will exempt Safari 12.x on iPhones and iPads and Safari 12.1 on Mac OS. To remove this condition, simply remove the <add ... /> node inside each <conditions ... /> node.

OnBase IdP (OnBase 17 and OnBase 18)

If you are using the OnBase Identity Provider (IdP) with OnBase 17 or OnBase 18, you can use the following UrlRewrite configuration within the /configuration/system.webserver section of the web.config.

Download OnBase IdP SameSite Cookie Handling URL Rewrite Configuration XML

Hyland Identity Provider (IdP) (OnBase Foundation EP1 and higher)

If you are using the Hyland Identity Provider (IdP) with OnBase Foundation EP1 and higher, you can use the following URL Rewrite configuration within the /configuration/system.webserver section of the web.config.

Download Hyland IdP SameSite Cookie Handling URL Rewrite Configuration XML

If you have any questions, please reach out to your first line of support for more information.