Mitigate the impact of third-party cookie deprecation

Google is deprecating the use of third-party cookies in the Chrome browser.

A third-party cookie is one that's issued by a website other than the one you're visiting.

Cookies are written to the domain that receives the request. If your user sign-in domain is different from your org domain, then the cookies from your org are considered third-party on the sign-in domain.

If your Sign-In Widget configuration sets signin.mycompany.com as the baseURL or issuer, cookies are issued for mycompany.com when a user signs in. These cookies are considered first-party to all mycompany.com web pages.

If you have a self-hosted Sign-In Widget configuration that sets mycompany.okta.com as the baseURL or issuer, cookies are issued for okta.com. They're first-party cookies to okta.com, but third-party to mycompany.com.

Third-party cookie restrictions limit how your app can introspect or extend the Okta session. In this scenario, your users might encounter issues when they sign in, or might not be able to sign in at all.

You can test whether this change affects your org. See Deprecation of 3rd Party Cookies in Google Chrome.

Start this task

If your org is affected, you can create a custom domain and then point your apps to it. This ensures that your apps are all on the same domain as the one that issues the cookie.

  1. Set up a custom domain. See Customize domain and email address and Configure a custom domain.
  2. In the Admin Console, go to ApplicationsApplications.

  3. Select the app that you want to edit.
  4. On the Sign On tab, click Edit.
  5. In the OpenID Connect Token section, click Edit.
  6. Set the Issuer to Dynamic (based on request domain).
  7. Sign in to each of your apps and change the issuer in your app's code to your custom domain.

Related topics

The End of Third-Party Cookies

Configure a custom domain

Deprecation of 3rd Party Cookies in Google Chrome