SuccessFactors Adoption of SameSite to support Secure Cookie Settings change
SAP SuccessFactors HXM Suite
Beginning Feb 4th 17th(New date announced), 2020, Google’s Chrome Browser version 80 (“Chrome 80”) is introducing new parameters to make the browser more secure, specifically for cross-site navigation and access. Below are links to Chrome’s overall release schedule and details on the work that they are doing, which is specific to the security improvements.
The updates in Chrome 80 requires changes to be made to SuccessFactors’ code to ensure that the application works properly when run on Chrome 80. SuccessFactors will patch these code changes on Feb 2nd, 2020.
How does it impact me?
SuccessFactors has identified areas of impact, if the requisite code changes are not made and deployed by February 4th, 2020. These include access to some SuccessFactors Applications and some 3rd party (non-SuccessFactors) applications, including but not limited to:
- Learning Management System
- Workforce Analytics Application
- Jam Application when accessed from Home Page
- Recruiting Marketing application
- Workforce and Benefit Focus applications
- Any SuccessFactors application when accessed from customer company portal via an i-frame
What action should I take?
With the patch getting deployed on February 2nd, we expect no impact to end users.
If a user cannot access any of the applications (listed above or others) when using SuccessFactors application in Chrome Browser, please notify through the standard support process. As a workaround, a user can use any other browser to continue to use these applications.
*For Employee Central customers using Mashups
*For Validated Learning customers only
Additional fix will be needed and will be added to the current 1808 patch 27 release and redeployed to your environments on the schedule below:
- Sandbox Environment – February 6, 2020
- Preview Environment – February 9, 2020
This will allow you to continue validation of the current patch 27 without alteration of the planned Production Environment schedule of February 22, 2020. Until that date, it is advised that Validated SaaS customers either delay upgrade of their Chrome browser to the latest version (80), use a different browser other than the latest version (80) of Chrome to access the LMS, or follow the steps below to update the Chrome 80 browser settings which will allow for continued operation.
How disable SameSite by Default?
- Type “chrome://flags” in the URL
- Search for “SameSite”
- Change “SameSite by default cookies” to Disabled
- Change “Cookies without SameSite must be secure” to Disabled
- Click the “Relaunch” button
PLT-75905, Chrome80, SameSite, SameSite=None, SSO, Cookies, Secure, Single-Sing On, Validated Learning , KBA , LOD-SF-PLT-SEC , Security & Permissions , LOD-SF-PLT-SEL , SSO Errors & Logs , LOD-SF-PLT-SAM , SAML SSO First Time Setup , Product Enhancement