Update required settings for ENABLE_MULTI_SAML to prevent issues with cross-domain cookies (#252)

simonhammes · web-flow · commit cb3375155555 · 2025-06-14T13:20:48.000+02:00
Co-authored-by: Simon Hammes &lt;simonhammes@users.noreply.github.com&gt;
diff --git a/docs/configuration/authentication/saml-team.md b/docs/configuration/authentication/saml-team.md
@@ -8,19 +8,19 @@ search:
 
 in `dtable_web_settings.py` add these settings:
 
-```bash
+```python
 # to activate teams in general
 CLOUD_MODE = True
 MULTI_TENANCY = True
 
 # to activate multi-saml in general
 ENABLE_MULTI_SAML = True
-SAML_CERTS_DIR = '/opt/seatable/seatable-data'
+SAML_CERTS_DIR = '/shared/certs'
 ```
 
 SAML for Teams is also a role permission that has to be assigned to a role.
 
-```bash
+```python
 ENABLED_ROLE_PERMISSIONS = {
     'org_default': {
         'can_use_saml': True
@@ -40,11 +40,20 @@ cd /opt/seatable-server/
 openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout sp.key -out sp.crt
 ```
 
-```bash
+```python
 #SAML_CERTS_DIR = '/opt/seatable/seatable-data'
 #SAML_ATTRIBUTE_MAP = {
 #'uid': 'uid',
 # 'contact_email': 'contact_email',
 # 'name': 'name',
 #}
 ```
+
+If the SAML provider is on a separate domain (which it will definitely be in case of `cloud.seatable.io`), the following settings must be configured to prevent issues with cross-site cookies:
+
+```python
+SESSION_COOKIE_SECURE = True
+SESSION_COOKIE_SAMESITE = 'None'
+CSRF_COOKIE_SECURE = True
+CSRF_COOKIE_SAMESITE = 'None'
+```
