KB-2065 Embedded interfaces experience authentication issues in Google Chrome version 80 and above

This issue has been resolved in an Appian hotfix/new Appian version. Please apply the latest hotfix to your Appian installation or upgrade to the latest version of Appian.

Purpose

The purpose of this article is inform users of an upcoming change to Google Chrome in version 80 that may cause issues with authentication in Appian embedded interfaces. The current release date for Google Chrome version 80 is February 4, 2020. The default behavior change that introduces the potential issues with authentication in Appian embedded interfaces is expected to take effect the week of Feb 17, 2020.

Expected Symptoms

After upgrading to Google Chrome version 80, embedded interfaces hosted on a different domain than Appian may experience authentication issues such as HTTP 401 unauthorized errors or a constant need for re-authentication.

e.g. If the embedded page domain is somedomain.net and Appian is hosted on somepage.somedomain.net, users will not experience any issues.

e.g. if the embedded page domain is somedomain.net and Appian is hosted on somepage.differentdomain.net, users may get a 401 error when trying to login to Appian on the embedded page.

Cause

In Google Chrome version 80, browser cookies for attribute 'SameSite' are treated as 'SameSite=Lax' by default if no SameSite attribute is specified. For more details about Google Chrome's implementation of this change, please see the Google Chrome Status page for this feature.

Appian is aware of this change and has made updates to all supported version of Appian to resolve any issues as a result of it via AN-142514 in the following hotfixes/versions:

Action

Apply the latest hotfix to your Appian installation or upgrade to the latest version of Appian.

If embedded users authenticate using SAML, the SAML configurations will need the cookies sent from the Identity Provider to have the 'SameSite=None; Secure' attributes. Check with the Identity Provider for how to implement this change, if not already in place.

Workaround

  1. Users can use an Appian supported web browser other than Google Chrome.
  2. Users can avoid upgrading Google Chrome to version 80 until the hotfix resolving this issue can be applied.
  3. Users can retain the legacy behavior for cookies in the browser by setting both of these flags to "Disabled"
    chrome://flags/#same-site-by-default-cookies
    chrome://flags/#cookies-without-same-site-must-be-secure
  4. System administrators can enforce legacy behavior using Enterprise Policies as detailed in this article.

Affected Versions

This article applies to all versions of Appian using Google Chrome version 80 and above as the web browser.

Last Reviewed: February 2020

Related
Recommended