Behind the Blackboard! Impact to SAML Login with Browser Changes for Handling Third-Party Cookies (Chrome version 80) - Behind the Blackboard Skip Navigation
Download PDF  Icon Download PDF    Print article

Impact to SAML Login with Browser Changes for Handling Third-Party Cookies (Chrome version 80)

Date Published: Feb 13,2020


CategoryProduct:Learn; Version:9.1,SaaS
Article No.: 000056902

Type:

Product:
Blackboard Learn


Bulletin/Advisory Information:

Google released Chrome 80 on February 4, 2020 and has also announced a limited roll-out for releasing a cookie handling change starting February 17, 2020. This update will change the default behavior for handling third-party cookies and will impact the use of cookies by Blackboard Learn’s SAML authentication type. Testing has observed the following behaviors when using SAML for authentication with Chrome 80:
  • Unimpacted:
    • A user authenticates through the identity provider (e.g. Office 365) then accesses a SAML single sign-on link to access Blackboard Learn, referred to as IdP-initiated Single Sign-on.
    • A user logs in with the Blackboard Learn login page, using a SAML identity provider. In this scenario, a user’s first login attempt will be successful if completed within 2 minutes of the first attempt.
  • Impacted:
    • A user logs in with the Blackboard Learn login page, using a SAML identity provider, but waits 2 minutes before logging in. The user’s first login attempt will fail due to the changed cookie handling. A second attempt to authenticate will be successful if completed within 2 minutes of the first attempt.
    • A users logs out of a Blackboard Learn, waits 2 minutes, and then tries the Blackboard Learn login page using a SAML identity provider. The user's attempt will fail due to the changed cookie handling.  An additional attempt to authenticate will be successful if completed within 2 minutes
  • If your institution is using a custom SAML authentication workflow not listed above, you should conduct testing of authentication.

Blackboard has completed a fix for the described behavior when using SAML with the default Learn login page and validated that changes won’t negatively impact older browsers that are considered supported. The fix has been released to Learn SaaS Continuous Delivery in 3800.2.0-rel.20+2226729.  For clients on SaaS Flexible Deployment, a fix is planned for 3800.0.1 (Q4 2019 Cumulative Update 1). Q2 2019 Cumulative Update 7, Q4 2018 Cumulative 10, and Q2 2018 Cumulative Update 15 contain the fix as well.    

The following workarounds are recommended if your site is on a version that does not yet have a fix or is not supported:
  1. A user can choose a different browser, such as Mozilla Firefox or Microsoft Edge.  However, both Mozilla and Microsoft have communicated they intend to make a similar change in the future.
  2. Access Blackboard Learn through the identity provider as a single sign-on (IdP-initiated SSO).
  3. If using the Learn login page with SAML, inform Chrome users that they may have to login twice.

Additional notes:
  • The impacts of Chrome 80’s default cookie handling change is not limited to SAML authentication.
    • Integrations with third-party tools such as those integrated with Learning Tools Interoperability (LTI), Building Block APIs, and REST APIs could all be impacted. Please see article 51929 for details. A resources page for developers has also been published.
    • There is a known issue with SCORM playback that was previously addressed in newer versions of Learn and Cumulative Updates. See article 51292 for details.
  • While the timing of this change by Google Chrome coincides with changes being made in Blackboard Learn related to adopting Java 11 in 3800.2 (SaaS Continuous Delivery), 3800.0 (SaaS Flexible Deployment Option), and 9.1 Q4 2019 which can impact some Building Blocks, the two are unrelated. If troubleshooting Java 11 issues with Building Blocks, it will be important to confirm observed issues are unrelated to this Google Chrome change.

Additional information about the change in Chrome 80
Google’s change in Chrome 80 is to restrict, by default, the communication of information between two domains using cookies unless the browser is informed that the cookie is appropriately secured.  The change in third-party cookie handling is to help prevent what is called “fingerprinting,” or unauthorized parties harvesting tracking and personal information that may be stored in cookies, particularly in cases where websites do a poor job of minimizing personal data storage or improperly securing the cookie.  In the case of learning tools and environments, including Blackboard Learn, these data are typically stored in the learning environment or tool itself in order to be compliant with regulations covering educational data, and cookies are used for purposes of security and keeping a user’s place as they navigate the learning environment. “Fingerprinting” is generally associated with cookies used for online shopping, social media browsing, and informational or entertainment websites that monetize clicks and user information.

Specific to the SAML authentication workflow, a cookie is being used to verify the user as part of an OAuth2 workflow. No personal data are being stored in the cookie that would be susceptible to “fingerprinting” by bad actors.

It is important to note that this change in Chrome’s default behavior regarding third-party cookies is not specific to Blackboard Learn, SAML authentication, or Learn integrations with third-party tools. It’s due to the change in handling of cookies and will be common to other platforms, learning management systems, and virtual learning environments. 

 



The information contained in the Knowledge Base was written and/or verified by Blackboard Support. It is approved for client use. Nothing in the Knowledge Base shall be deemed to modify your license in any way to any Blackboard product. If you have comments, questions, or concerns, please send an email to kb@blackboard.com. © 2021 Blackboard Inc. All rights reserved