The Microsoft article
Work with SameSite cookies in ASP.NET describes the SameSite cookie support added to ASP.NET 4.7.2 and 4.8.
By default, no SameSite mode is specified and the Secure flag is false.
This can be overridden using the <httpCookies> setting in the <system.web> section of web.config.
For example, the following configuration defaults all cookie to SameSite=Lax and Secure.
<httpCookies sameSite="Lax" requireSSL="true" />
The SAML_SessionID cookie must include SameSite=None and Secure.
ASP.NET 4.8If targeting ASP.NET 4.8, there are no issues associated with the SAML_SessionID cookie and the <httpCookies> setting.
Regardless of the <httpCookies> setting, the SAML_SessionID cookie will include SameSite=None and Secure.
Prior to ASP.NET 4.8If the <httpCookies> setting isn't specified, there are no issues associated with the SAML_SessionID cookie. It will include SameSite=None and Secure.
If <httpCookies sameSite="None"> is specified, there are no issues associated with the SAML_SessionID cookie.
However, if <httpCookies sameSite="Lax"> or <httpCookies sameSite="Strict"> is specified, the following must be added to web.config to ensure the default cookie settings are not used for the SAML_SessionId cookie.
<system.webServer>
<rewrite>
<outboundRules>
<rule name="Set SAML session cookie flags">
<match serverVariable="RESPONSE_Set_Cookie" pattern="SAML_SessionId=[^;\s]*" />
<action type="Rewrite" value="{R:0}; Path=/; Secure; HttpOnly; SameSite=None" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
Regards
ComponentSpace Development