SameSite hotfix installation instructions
Updated: February 14, 2020
SecureAuth hotfix 200106_004_8 is specifically built to address the Chrome SameSite issue as discussed in this knowledge base article: SameSite cookie support and Chrome 80.
Scope
This hotfix is not cumulative, and only addresses the SameSite cookie flag. No other changes are made by this hotfix. The change impacts virtually all cookies generated by the SecureAuth® Identity Platform and SecureAuth IdP products by adding the flag: SameSite=None to all cookies.
Version support
The hotfix update applies to the following SecureAuth IdP and the Identity Platform product versions:
9.1
9.2
9.3
19.07
19.07.01
Prerequisites
The Microsoft updates that support the SameSite flag for the specific Windows Server version and .NET version must be installed on your appliance prior to installation of the SecureAuth hotfix.
Instructions on how to determine which .NET version is installed on your appliance: https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed.
Important
Installation of the Microsoft update requires a system reboot.
Microsoft Security and Quality Rollup for .NET Framework updates
December 2019 Patch Tuesday updates
January 2020 Patch Tuesday updates
Windows Server version | .NET 4.6-4.7.2 | .NET 4.8 |
|---|---|---|
2012 | N/A | N/A |
2012 R2 | N/A | N/A |
2016 | KB4534271 (see note below) ** | KB4532933 (see note below) ** |
Important
Windows Server 2016 **
Microsoft has released multiple updates for Windows Server 2016 that supersede KB4534271 and KB4532933.
KB4534271 superseded by: | KB4532933 superseded by: |
|---|---|
KB4534307 – January 22, 2020 | KB4534126 – January 22, 2020 |
KB4537764 – February 10, 2020 | KB4534126 – February 6, 2020 |
If you have installed any of the Microsoft updates listed in the table above for Windows Server 2016, the installer will not detect whether the requisite Microsoft update is installed.
Use the -override switch to skip the Microsoft update check.
Windows Server 2008 R2
Windows Server version 2008 R2 is no longer supported; the hotfix installer has not been tested on that platform. The .NET 4.6-4.7.2 update is 4533012 and 4.8 update for 2008 R2 is 4533005.
Installation
It is recommended to install the hotfix on the server when it is offline / out of service. However, It can technically be run on a live server.
Important
Installation of the Microsoft update requires a system reboot, however, the SecureAuth hotfix does not.
Click and download this hotfix: HF200106_004_8.exe
Place the file in a temporary folder on theD:drive of your SecureAuth appliance.
Recommended: Take a snapshot of the SecureAuth appliance.
Run the HF200106_004_8 executable file as an Administrator.
The application runs silently and typically completes within 30 seconds.
The installation will abort with a message indicating the reason if any of the following occur:
– The prerequisite Microsoft update is not installed
– Identity Platform/SecureAuth IdP customizations in conflict with this hotfix
Otherwise, a message displays indicating that the installation is complete.
No reboot or IISRESET is required.
Test your applications, and then put the server back into production.
Repeat this process for all servers in your farm.
Troubleshooting
See the following troubleshooting issues, If you have any other issues, please contact SecureAuth Support.
Aborted installation
If the installation aborts due to finding customizations, check the logs (located in the same folder as the hotfix) and contact SecureAuth Support.
Important
This hotfix was specifically designed to avoid customizations. It is very unlikely that the hotfix will encounter any customization conflicts.
Rollback
If for any reason, you want to rollback this hotfix, revert to your snapshot (see step 3 of the installation procedure) or run the following command:
HF200106_004_8.exe -uninstall
Override hotfix and customization check
If it is determined that the customized files are not used or needed, this hotfix can be installed and will overwrite those files. In addition, if Microsoft releases a new patch with the SameSite fixes that is not known to the installer (as documented in the above section Microsoft Security and Quality Rollup for .NET Framework updates), this option can be used to override the Microsoft update check. Use the following command:
HF200106_004_8.exe -override