SAP Knowledge Base Article - Public

3418866 - Removal of Third-Party Cookies in Google Chrome and Microsoft Edge Browser

Symptom

Starting in Q1/24, end users may face issues with their web applications when running in Chrome due to Chrome's third-party cookie deprecation.

End users could experience broken authentication flows or content sections not loading or behaving correctly. 

Affected are all applications utilizing third-party cookies, especially those that embed content from other domains with iFrames and rely on:

a) Cookie-based authentication / Single-Sign-On. Authentication via, for example, Identity Provider or Java session tokens could break randomly, content sections may not load or authentication flows could get interrupted.

b) Application-specific mechanisms that require cookies. Previous end user customization or application configuration might be ignored. 

c) A combination of both.

Starting January 4th, 2024, this will initially affect 1% of end users when using an unmanaged Chrome browser. More users will be affected over time. After Q2/24, without mitigation, affected products will break for all end users when using Chrome.

Microsoft Edge is built on Chromium. As far as we know, Microsoft will follow the Chrome approach shortly after.

Reason and Prerequisites

This note is primarily addressing Google Chrome's third-party cookie deprecation and its implications.

Third-party cookies are used for tracking, advertising, session management, SSO, personalization. At SAP, we use them for session management and Single Sign-On (SSO).

Browser vendors are in the process of deprecating or limiting the use of third-party cookies to prevent user tracking for data privacy reasons:

- Firefox and Safari have already changed their default behavior by blocking third-party cookies while allowing end users to manually opt-in again.

Google Chrome begins its deprecation plans on January 4th, 2024. Microsoft Edge is built on Chromium. As far as we know, they will follow the Chrome approach shortly after.

Google Chrome takes a different path by permanently blocking third-party cookies after 2024. End users will only be able to manually opt-in again throughout 2024. Afterwards, Google will fully block third-party cookies, leading to a breaking change in affected applications.

Google rolls out the change in a phased approach, starting for 1% of end users on January 4th, ramping up to 100% of end users by the end of 2024, subject to approval by the CMA (see Section F). During the phase-out, only unmanaged Chrome instances will be affected.

Environment

SAP Business bydesign

Reproducing the Issue

Scenario/Symptom examples :

HTML Mashup – Wherever external domains are integrated may impact in loading. For Example: Google Maps loading issue or Login page 

SSO – Single Sign On

Resolution

Client-side solutions (end users / IT departments):

Note: The options listed are considered temporary. We do not yet know how long any of these will remain in Chrome.

  1. End users can use Chrome's opt-in feature to allow all third-party cookies within a given website. This blog post, "The next step toward phasing out third-party cookies in Chrome", explains how the "opt-out” for users will work. 
  2. A list of top-level domains can be added to a local allow list in the Chrome browser config either via policies or manual configuration.
  3. IT departments should consider actively managing Chrome browsers since managed browsers are initially excluded from the phased roll-out. 

Keywords

KBA , AP-RC-UIF-RT-B , ByD HTML5 Client (not for Cloud for Customer) , Known Error

Product

SAP Business ByDesign all versions