Configuring Support for Access Manager on Google Chrome Browser
Google Chrome version 80 onwards introduces a change of how cookies are handled in web browser with the enforcement of SameSite and Secure Cookie configuration. To support this Chrome version with Access Manager, you will need to configure the following options.
For Identity Server
-
Uncomment the ResponseCookieProcessor filter configuration to set the <param-name> in the web.xml file.
The web.xml file is located in the following path:
Linux: /opt/novell/nam/idp/webapps/nidp/WEB-INF
Windows: /opt/novell/nam/idp/webapps/nidp/WEB-INF
-
Change the value from Active to True in the web.xml file.
<filter>
<filter-name>ResponseCookieProcessor</filter-name>
<filter-class>com.novell.nidp.servlets.filters.cookie.ResponseCookieProcessor</filter-class>
<description>This filter is used to edit Response cookies before delivering to the client.</description>
<init-param>
<param-name>Active</param-name>
<param-value>True</param-value>
</init-param>
<init-param>
<param-name>SameSiteLevel</param-name>
<param-value>None</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>ResponseCookieProcessor</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping> -
Restart the servers.
NOTE: Perform the above steps on each node of Identity Server.
For Access Gateway
-
Click Devices > Access Gateways > Edit > Advanced Options.
-
Add the following Global Advanced Options:
-
NAGGlobalOptions SameSiteCookie=on. This option sets SameSite=None to all Set-Cookie headers coming from Access Gateway.
-
NAGGlobalOptions SameSiteOption <input-string>. Instead of using the default value None for the SameSite value, you can set it to Lax or Strict. For example, NAGGlobalOptions SameSiteOption=Strict or NAGGlobalOptions SameSiteOption=Lax.
-
-
(Optional) Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Advanced Options.
-
Add the following options at proxy service level:
-
NAGHostOptions SameSiteCookie=on
-
NAGHostOptions SameSiteOption=<input-string>. <input-string> can be Strict or Lax.
For more information about these options, see Access Gateway Advanced Options in the Access Manager 4.5 Administration Guide.
-