Cross-site cookies for embedded apps

codergrl · ‎12-02-2020

I have an ArcGIS HUB site that has several ArcGIS Online apps embedded in it. We used to use ArcGIS Online logins for both AGO and HUB and everything worked fine, the user would login once into HUB and the embedded apps would load automatically.

We switched to using AD security and now the attachments no longer load, they require signing in. So the users are now forced to sign in once into HUB and then again for every embedded up with the same AD credentials.

Looking at the dev tools I found this message:

According to this article (https://support.esri.com/en/technical-article/000022568) this should have been resolved. Any words of wisdom?

RexRobichaux · ‎01-07-2021

Hey @codergrl did you ever figure this out or hear from Esri? We are seeing very similar errors in our console for apps deployed to our servers created in Web AppBuilder Developer... and our organization is apparently rolling out the Chrome update that will make SameSite / Schemeful cookie blocking default / mandatory. I'm unsure if this will have any detrimental affect to users of our apps or not at this time. Thanks for any info you can provide!

codergrl · ‎01-08-2021

Unfortunately, this is still an issue, and I have not heard a peep from Esri. Our client is holding back on going to production with HUB because of this.

codergrl · ‎06-21-2021

Just wanted to give you an update on this. It was filed as a bug in March 2021: BUG-000137967: SAML authentication is not consistently passed through to embedded applications on non-public Hub sites, causing each embedded application to prompt for credentials.

Haven't heard anything back on a fix yet.