Failed SSO on Chrome

Version

Problem Description

You fail to log in through single sign-on (SSO) and jump to the login page only in Chrome V80.0 and later versions and Firefox V96.0 and later versions.

Reason

SSO is unsuccessful due to cookie issues.

Security policies in Chrome V80.0 and later versions and in Firefox V96.0 and later versions are modified. The SameSite policy does not allow cookies to be sent across different sites by default, causing SSO failures.

HTTPS Solution

If the upgraded project uses HTTPS and the project is 11.0.4 or later versions, you can directly use the built-in HTTPS_SameSite_cross-domain policy.

After cross-domain SSO is set for HTTPS, cross-site SSO is available.

HTTP Solution

Note:

The configuration in this section is quite complex. You are advised to use the upgraded project using HTTPS and refer to section "HTTPS Solution" for optimization.

Solution One: Unifying Main Domain

Refer to the following cross-site explanation to ensure that the top-level domain and second-level domain of two projects are the same. For example, for a.b.com and c.b.com, .com is the top-level domain and b is the second-level domain.
Example: The problem does not occur for bbs.fanruan.com and help.fanruan.com, because they share the same top-level domain .com and second-level domain fanruan.

Cross-site explanation:

The Public Suffix List is the basis for determining whether the cross-site is present.

Two URLs share the same site if they share the same top-level domain and second-level domain (referred to as public suffix+1 later).

• Top-level domain: The length of the longest suffix matched with those in the Public Suffix List.

• Second-level domain: Field before the top-level domain.

Note:

For details about the list of top-level domain names, see Top-level Domain Name List.

For example, the public suffix+1 of www.sina.com.cn and www.sohu.com.cn are sina.com.cn and sohu.com.cn respectively, so the two URLs do not share the same site.

For another example, the public suffix+1 of nanzhuang.taobao.com and nvzhuang.taobao.com are both taobao.com, so they share the same site.

Solution Two: Configuring the Proxy

You can configure FineReport and the third-party system under the same domain through the proxy and change report links configured in the third-party system to links through proxy. Then you can bypass same site.

Temporary Solution

Note:

1. The temporary solution is to modify Google's settings. You need to perform the operation on each computer that accesses the project, resulting in bod user experiences. Therefore, this solution is not recommended and the solution in section "HTTPS Solution" is recommended.

2. The temporary solution is applicable to all browsers with the Google kernel like the new Edge (accessing edge://flags/), but those browsers of V91 and later version are excluded.

Enter chrome://flags/ in the Chrome address bar, enter SameSite in the search box, find the SameSite by default cookies option, and click Disabled on the right.

After the setting, you need to restart Chrome for the settings to take effect.