Overview
Version
| Report Server Version | Functional Change |
|---|---|
11.0 | / |
11.0.4 | Added a built-in SameSite policy to handle cross-domain access for HTTPS-enabled projects. |
Problem
In Chrome of V80.0 and later versions and Firefox of V96.0 and later versions, login via single sign-on (SSO) fails, and you are redirected to the login page. However, login via SSO works normally in other browsers.
Cause
SSO failure results from cookie restrictions.
Starting from Chrome V80.0 and Firefox V96.0, the security policy has been updated: the default value of the SameSite attribute is now set to Lax, which prevents cookies from being sent across sites. As a result, SSO will fail.
Solution
Solution for HTTPS-enabled Projects
FineReport Not Deployed via FineOps
For FineReport not deployed via FineOps and with project versions 11.0.4 or later, if the project has been upgraded to HTTPS, the built-in SameSite policy for cross-domain access can be used directly without any additional configuration.
After cross-domain SSO is configured for HTTPS-enabled projects, cross-site SSO is available.
FineReport Deployed via FineOps
The solution is only applicable to FineReport deployed via FineOps and configured with HTTPS.
1. Download and unzip the configuration file CORS.conf: CORS.zip
2. Place the CORS.conf file in /nginx/conf/custom within the external directory of FineReport.
· If the /nginx/conf/customdirectory does not exist, manually create one and ensure that you are granted the read and write permissions on the directory.
· If you are unsure of the location of the external directory, you can find it in the project deployment information. For details, see Exporting Project Deployment Information.
3. Log in to FineOps, select a desired project, choose Maintenance > Component Management, and click Restart to restart the nginx component.
4. When configurations are parsed during the restart, the CORS.conf file will be automatically loaded and merged into the location / ${APP_PATH} block to enable cross-site SSO.
Solution for HTTP-enabled Projects
Note:Solution One: Unifying the Primary Domain
Follow the cross-site rules below to ensure that the top-level domain (TLD) and second-level domain (SLD) of two projects are the same. For example, a.b.com and c.b.com share the same TLD (.com) and SLD (b).
For another example, cross-site SSO failures do not occur for bbs.fanruan.com and help.fanruan.com, as they share the same TLD (.com) and SLD (fanruan).
Cross-site rules:
Cross-site determination is based on The Public Suffix List.
Two URLs are considered to be from the same site if their TLD and SLD (collectively referred to as public suffix+1 hereinafter) are identical.
· Top-level domain (TLD): The longest suffix matched from The Public Suffix List
· Second-level domain (SLD): The segment immediately preceding the TLD
For example, the public suffix+1 of www.sina.com.cn and www.sohu.com.cn are sina.com.cn and sohu.com.cn, respectively. Since they differ, the two URLs are not considered to be from the same site.
For another example, the public suffix+1 of both nanzhuang.taobao.com and nvzhuang.taobao.com is taobao.com. Therefore, the two URLs are considered to be from the same site.
Solution Two: Configuring a Proxy
You can configure a proxy to place FineReport and the third-party system under the same domain. The report links configured in the third-party system must be replaced with the proxy URLs. In this way, SameSite restrictions can be bypassed.
Temporary Solution
Note:This temporary solution involves modifying Chrome settings. The changes must be applied to Chrome on every computer accessing the project, which is troublesome and leads to a poor user experience. Therefore, this solution is not recommended. You are advised to adopt the solution in the "Solution for HTTPS-enabled Projects" section.
This temporary workaround applies to all Chromium-based browsers, such as the new Edge (Access the settings page at edge://flags/ in Microsoft Edge), except those of V91 and later versions.
Enter chrome://flags/ in the Chrome address bar, enter SameSite in the search box, locate SameSite by default cookies, and click Disabled.
Relaunch Chrome for the setting to take effect, as shown in the following figure.
Previous:SSO Failure Troubleshooting
