I have sites on different domains: site1.domain1.com and site2.domain2.com. I've integrated these sites with an Identity Provider (IDP) using SAML, enabling Single Sign On (SSO) and Single Log out (SLO) mechanisms. The IDP is also on a different domain (idp.domain3.com). Sites are using a cookie to indicate if a user is logged in.
When a user logs out from one of the sites, the IDP initiates a Front Channel Logout. It displays a page with a hidden iframe containing a SAML Logout request for the second site. My goal on the second site is to clear the cookie from the site, that indicates the user is logged out. To do this, I set the cookie to expire in response to the SAML Logout request. I'm setting a cookie in that way: Set-Cookie: cookieToRemove=expired; Path=/; Max-Age=0; SameSite=None; Secure.
However, I encounter a problem when trying to clear the cookie. While Chrome and Edge successfully clear the cookie, Firefox does not. After some research, I discovered that the cookie is treated as a third-party cookie because the IDP is on a different domain than the site. Firefox blocks the setting of third-party cookies by default, and other browsers are expected to follow suit in the future.
I would like to know the recommended approach for handling SAML Front Channel Logout in the context of sites that use cookies, especially considering browsers that block third-party cookies.