Description
djangosaml2 is not setting the SameSite attribute on the saml_session cookie, which leaves it up to browsers to decide whether the cookie is sent with cross-site requests. Browsers are starting to default to SameSite=Lax when a cookie is missing a SameSite attribute, see:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#browser_compatibility
https://www.chromestatus.com/feature/5088147346030592
This behaviour breaks SP-initiated login with the HTTP-POST protocol when using djangosaml2, since browsers will refuse to send the saml_session cookie in the request to /saml2/acs/ (because that request is a third-party request initiated by the IdP). This causes djangosaml2 to raise an UnsolicitedResponse error.
I think that djangosaml2 should explicitly set SameSite=None on the saml_session cookie. This would allow the cookie to be sent in third-party requests.
This issue is very similar to #243, but I think there might have been some confusion there between calling response.set_cookie with samesite=None (which results in a cookie without a SameSite attribute), and setting SameSite=None on the cookie.