Refresher: The Problem with Third-Party Cookies

The web is heavily based on a technology called cookies. In a nutshell, cookies are a small set of information stored in your browser for later use by a website you visited. Cookies are for instance used to temporarily persist your session after you have logged in to a website or service using your browser – usually until you close your browser window. Cookies are also used when ticking the small check-box whenever a login page offered you to "Keep me signed in" or "Remember me", just settings its validity to a defined timeframe. On the other hand, the web is leveraging cookies also for tracking purposes. We speak of third-party cookies whenever a website, let's say example.com, is integrating some form of content (scripts, images, iFrames, etc.) that is running under a different domain (for example sap.com) and this content or domain is using cookies.

Some time back, all major browser vendors or their underlying browser engines did announce to heavily restrict the usage of third-party cookies with different rollout strategies and timelines (see WebKit, Google/Chrome, Mozilla). This brings us basically to the point, that web applications will only function correctly by default in the future (and partially already today), if they do not rely on third-party cookie scenarios.

SAP Mobile Start and SAP Build Work Zone, standard edition

SAP Mobile Start is a native mobile application serving as the native mobile entry point for the Intelligent Enterprise (read more). Besides bringing relevant business data to the app by leveraging native features like Widgets, Complications, Push Notifications and more, relevant business transactions and processes for mobile scenarios can be executed using the exposed & configured apps. These can be other native apps (like SAP SuccessFactors on iOS and Android) or mobile-optimized web apps – for example SAP Fiori apps exposed from SAP S/4HANA. From a content perspective, SAP Mobile Start is based on SAP Build Work Zone, standard edition (alternatively you can also use SAP Start). SAP Start is the central entry point for the browser into (selected) SAP Cloud Solutions. It allows users to search for applications, see all their tasks in one place via SAP Task Center and get recommended interest cards that are relevant to their role. SAP Build Work Zone, standard edition is an application-centric central entry point which supports more systems than just selected SAP Cloud Solutions and provides you more configuration flexibility.

A typical (and recommended) integration approach for web apps, especially for SAP Fiori apps, is to launch these embedded into the central shell. This approach is often also referred to as the "in-place" mode. On a technical level this means, that the actual app is running inside an iFrame within the surrounding shell of SAP Build Work Zone, standard edition. This holds true for both launching embedded / in-place apps in SAP Build Work Zone, standard edition on your regular desktop browser as well as when launching these via SAP Mobile Start. The latter is instantiating an in-app browser window provided by the mobile operating system where the web app is launched using its unique target URL. The following figure shows the same business app (in our case "Manage Purchase Orders") both started on the left with a laptop device using SAP Build Work Zone, standard edition and on the right side using the native mobile app SAP Mobile Start.

SAP Fiori App launched in SAP Build Work Zone, standard edition and SAP Mobile Start

Example: Problematic Landscape Configuration

Let's look at an imaginary landscape configuration where third-party cookie restrictions may be causing issues. Such an example will help us to illustrate potential issues during your system landscape setup and segue to the next section where we will focus on how to overcome these issues. In the following scenario we have provisioned the following resources:

• A new SAP S/4HANA Cloud Public Edition tenant that is available under the imaginary URL my000000.s4hana.cloud.sap
• The SAP S/4HANA system is trusted with an SAP Cloud Identity Services – Identity Authentication tenant using the URL example.accounts.cloud.sap
• Your SAP BTP subaccount is trusted with same SAP Cloud Identity Services – Identity Authentication tenant, but using the URL example.accounts.ondemand.com
• On the SAP BTP subaccount, SAP Build Work Zone, standard edition is subscribed
• SAP Build Work Zone, standard edition is used by your end-users with the URL example.launchpad.cfapps.eu10.hana.ondemand.com and SAP Mobile Start is onboarded on this environment with the same URL
• Content from SAP S/4HANA Cloud Public Edition is exposed with in in-place integration mode

When your purchaser employee is now launching the "Manage Purchase Order" application exposed from the SAP S/4HANA system via SAP Mobile Start, the following technical steps happen during the launch:

1. SAP Mobile Start is instantiating the in-app browser view and passes the URL which points to the tapped application on SAP Build Work Zone, standard edition.
2. SAP Build Work Zone, standard edition running on the SAP BTP will most likely not have an active browser session, thus redirecting to the connected Identity Provider.
3. Ideally the session on the Identity Provider is still valid from the initial onboarding of SAP Mobile Start, otherwise re-established by the configured authentication abilities. (Note: A session cookie on the SAP Cloud Identity Services – Identity Authentication tenant will be set in the context of ondemand.com)
4. SAP Build Work Zone, standard edition is now loading the context including the information of the targeted application
5. The in-place app is being loaded in an iFrame on the page, pointing to my000000.s4hana.cloud.sap
6. Since there is no active session, a redirect is being triggered to the connected Identity Provider of the SAP S/4HANA system (example.accounts.cloud.sap)
7. The iFrame connected to example.accounts.cloud.sap can neither access cookies of the same SAP Cloud Identity Services – Identity Authentication tenant set in the context of example.accounts.ondemand.com nor use cookies under the context of example.accounts.cloud.sap

The iFrame connected to example.accounts.cloud.sap can neither access cookies of the same SAP Cloud Identity Services – Identity Authentication tenant set in the context of example.accounts.ondemand.com nor use any cookies, since the main window is operated under ondemand.com and an iFrame running under cloud.sap is considered a third-party cookie scenario. The second aspect holds true if the browser is restricting the usage of third-party cookies. As an example, this holds true already for SAP Mobile Start on iOS, since the browser is based on WebKit.

Schematic illustration of issues with the third-party cookie restrictions

As a conclusion, the observed issues are caused by the fact that multiple cloud solution are operated under different super domains. When integrating these technically using an iFrame, which is the case for SAP Build Work Zone, standard edition with the "in-place" mode, browsers will run – depending on their (default) settings – into third-party cookie restrictions. In the worst scenario, this makes the integrated business application unusable for some or all users.

Correcting the Configuration

To avoid any of such cross-domain scenarios leading to possible third-party cookie restrictions, it is key that all integrated cloud solutions – especially those running in an iFrame – are operated under the same root domain. This fact is often referred to as "having a Common Super Domain". Since SAP Build Work Zone, standard edition as a product is supporting the Common Super Domain of SAP, it is recommend to operate it in this case under cloud.sap – matching the root domain of the integrated SAP S/4HANA content.

In our example case this means, we should consume our SAP Build Work Zone, standard edition Site, where the content is exposed to via the URL example.eu10.workzone.cloud.sap instead of the other one mentioned above. This holds true as well for the onboarding configuration of SAP Mobile Start, which can be done either via the QR Code shown in the User Settings when opened with the desired URL or with a Managed App Configuration, where Administrators can push this config using an MDM system to enrolled mobile devices. Please note: In case you were already using SAP Build Work Zone, standard edition with the URL based on ondemand.com, you need to inform your users to use the desired URL going forward. Same applies for previously onboarded users to SAP Mobile Start.

In addition, adjust the SAP Cloud Identity Services – Identity Authentication tenant used by SAP Build Work Zone, standard edition to use the accounts.cloud.sap domain. This will allow that the Identity Provider session (and generally cookies) being established for the main page of SAP Build Work Zone, standard edition can be reused by the app iFrame.

Pro tip: We strongly recommend to leverage the "Identity Authentication" feature of SAP Build Work Zone, standard edition. This procedure will establish a direct trust using Open ID Connect to SAP Build Work Zone, standard edition and it will result in an own "Application" entry within your SAP Cloud Identity Services – Identity Authentication tenant. This also enables you to maintain dedicated configuration settings, separately from your general trust to the SAP BTP. At the time of writing this blog post, this feature is optional. It is very likely that it will get much more relevance in the future – hence our strong recommendation already today.

Schematic illustration of a configuration to avoid third-party cookie scenarios

Summary – Key Take-Aways

• Integrating Cloud Solutions that are operated under different super domains can cause issues due to third-party cookie restrictions in modern browsers. (read more)
• Going forward, such issues can be solved by leveraging the Common Super Domain cloud.sap
• This also holds true for the configured Identity Provider, that is capable of creating and holding a user session.
• SAP Build Work Zone, standard edition can be used with the Common Super Domain following the logical schema <subdomain>.<datacenter>.workzone.cloud.sap (read more)
• SAP Start can be used with the Common Super Domain following the logical schema <subdomain>.<datacenter>.start.cloud.sap
• Make sure to onboard SAP Mobile Start with the correct URL using the QR Code or an MDM solution. Make sure to roll it out correctly to all of your end-users.

Read More

• SAP Mobile Start – Administration Guide (SAP Help)
• SAP Build Work Zone, standard edition – Using the Common Super Domain (SAP Help)
• SAP Build Work Zone, standard edition – Content Providers - Cloud Solutions (SAP Help)
• SAP Start – Administration Guide (SAP Help)
• SAP Mobile Experience Community Page 
• SAP SuccessFactors – SSO Configurations with IAS On common super domain cloud.sap (SAP Note)
• SAP SuccessFactors – Third-party Cookies (3PC) Deprecation and Common Super Domain (CSD) Migration (...
• SAP SuccessFactors – Impact of Third-Party Cookies Deprecation on SAP SuccessFactors
• SAP SuccessFactors – Third Party Cookies and Common Super Domain Rollout (SAP Community)
• Removal of Third-Party Cookies in Google Chrome and Microsoft Edge Browser (SAP Note)

Thanks to @florian_buech for co-authoring this article.