Disabling Third-Party Cookies and SAP Domain Harmonization: What SAP Customers Need to Know
Table of Contents
Introduction
Google has announced that it will end support for third-party cookies (3PC) in Chrome by the second half of 2024. This is part of a larger initiative, the so-called “Privacy Sandbox”, which aims to improve user privacy while enabling relevant advertising. The end of 3PCs has far-reaching implications that will also affect the SAP world, among others.
At the same time, SAP is pursuing the goal of establishing a uniform domain for its cloud applications, which will lead to a harmonization of the various modules. This blog provides information on the background, the most important information and possible solutions for this upcoming change.
What are cookies and third-party cookies?
In the digital world, cookies are an essential part of surfing the internet. They not only enable user settings to be saved, but also allow user activity to be tracked across different websites. However, this ability will soon be limited.
- Cookies: Small text files that are stored by websites on the user’s device to store information about the user’s interactions with the website. This includes, for example, login data, page settings or shopping cart content.
- First-party cookies: These are set directly by the website visited and store information such as login information or shopping cart content.
- Third-party cookies (third-party cookies): These are not set by the visited website itself, but by third-party providers. They are often used by advertising networks to track users across different websites and show them targeted advertising.
Cookies can potentially be used to track user activity without their knowledge, leading to privacy concerns.
The Privacy Sandbox Initiative
The end of 3PCs has far-reaching implications for digital marketing and the advertising industry, as it changes the way user tracking and personalized advertising work.
The Privacy Sandbox initiative has several key objectives:
- Protecting user privacy: Improving privacy on the web by reducing invasive tracking methods.
- Preservation of advertising financing: Creating a balance between data protection and the financing of the open web through advertising.
- Prevention of fingerprinting: combating techniques that attempt to identify users without their consent.
- Promoting transparency and control: Giving users more transparency and control over the use of their data.
- Creation of new web standards: Development of new, industry-wide standards that can be adopted by all browsers and platforms.
Effects of the shutdown of 3PCs
The deactivation of third-party cookies has far-reaching technical and operational consequences:
- Personalized advertising: Without third-party cookies, it will be more difficult to track users across different websites and show them personalized advertising. Advertisers need to develop alternative tracking methods.
- Attribution: Assigning conversions to specific marketing channels becomes more complex as cross-device tracking is limited.
- Less personalized content: Websites and services can collect less data about user interactions, resulting in less personalized content and recommendations.
- Login and authentication: More frequent logins may be required as session information may not be as easily shared.
Why is it critical?
Integration of external content
If content from external sites, such as via iFrames (often the case with Build Work Zone), is integrated, these external sites can also write cookies. This currently allows tracking across different pages, which is important both for advertising purposes and for the user experience.
SSO and cross-platform functionalities
Single Sign-On (SSO) allows users to access different, independent systems with a single login. This functionality often depends on third-party cookies. As soon as these are switched off, SSO will no longer work as usual across different platforms.
API accesses and session cookies
Many applications use session cookies to access protected resources via APIs. Disabling third-party cookies could also affect these accesses.
Are API integrations affected?
There was confusion about the impact on API integrations. Some sources say: “The shutdown only affects UI integration. API and Secure File Transfer Protocol (SFTP) integrations are not affected.”
So what is true?
Although the shutdown mainly affects UI integration, companies should be cautious. If APIs use session cookies and these are used across different domains, they could still be affected. It is therefore advisable to check all integrations and ensure that they are not dependent on third-party cookies.
The harmonization of SAP Cloud domains
SAP has begun the process of creating a unified domain for its cloud applications, starting with SuccessFactors. Until now, different modules such as LMS, Onboarding and BizX have used different domains. The aim is to harmonize these under the uniform cloud.sap domain.
This change is also expected to be implemented in other SAP cloud systems from 2025, so that all applications use the same domain. Administrators can already choose the domain under which the service should be accessible in SAP BTP, either ondemand.com or cloud.sap. If you are now in the process of establishing a BTP service, we strongly recommend that you already use the cloud.sap domain to avoid later migrations.
Effects on authentication
SAML2 and OpenID Connect
In connection with the services offered by SAP, such as SuccessFactors, it is important that the metadata for SAML2 is exchanged again between the SAP Cloud Identity Services Tenant and the service as soon as these changes are implemented.
OpenID Connect (OIDC) is also not unaffected by these changes. In the course of domain harmonization by SAP, redirect URIs should be adapted to the new cloud.sap domain. This ensures that the authorization and token requests are forwarded correctly to the central domain.
APIs
Systems that use the SAP APIs to read or write data from SAP Services or BTP could be affected by these changes. At the time of migration, ensure that you have identified all systems that may be accessing or moving towards BTP and its SaaS solutions and then migrate all your systems one by one. This will ensure that authentication continues to work smoothly.
The time frame
- Switching off 3PCs: Google plans to switch off third-party cookies for good from the second half of 2024.
- SAP domain harmonization: The exact changeover dates for SAP BTP and the associated services are still unclear, but the changeover to the uniform domain is expected to begin in 2025.
Solutions and migration strategies
CHIPS and Storage Access API
One of the proposed solutions is the use of CHIPS (Cookies Having Independent Partitioned State). With CHIPS, cookies can only be used on the page on which they were set and not across multiple pages. In addition, the Storage Access API enables unpartitioned cookies to be used in all embeddings as if they had been set in the top-level context.
Current information:
- From May 22, 2023, the Storage Access API will be available for all SAP Cloud Identity Services tenants.
- We recommend that you test your application. You can find more information here:
- This is also what Identity Authentication currently uses and supports. Read more at:
Chrome for Testing
To test the effects of Google’s third-party cookie deactivation, companies should use the special version of Chrome for Testing. This version makes it possible to simulate the changes and identify and resolve potential problems at an early stage.
Chrome Enterprise Policies
Companies can use Chrome Enterprise Policies to allow cookies for specific pages.
Important: However, this is only a temporary solution and only buys time! This function will also be switched off in the coming quarters after Q1 2025.
Centralized domains
Another strategy is to implement the unification of all integrations under a common domain, which avoids the challenges of third-party cookie deactivation, as no “third-party” cookies are created, but everything is unified under one domain.
Examples:
- Microsoft Loop: Moving from loop.microsoft.com to loop.cloud.microsoft.
- SAP: Switch from ondemand.com and all other cloud domains to cloud.sap.
Conclusion & call to action
The deactivation of third-party cookies by Google and the harmonization of SAP cloud domains represent significant changes that will affect many existing systems and applications. Companies need to act now and implement appropriate strategies and solutions to ensure that their services continue to function seamlessly.
They can prepare for these changes and adapt their systems by using tools such as Chrome for Testing and implementing technologies such as CHIPS and the Storage Access API.
Organizations should begin immediately to determine the impact of the 3PC shutdown on their applications and take appropriate action. Use the tools and technologies provided to prepare for these significant changes. Monitor developments and stay informed to ensure that your systems and applications continue to function optimally, even after Google shuts down third-party cookies and harmonizes SAP cloud domains.
Note: To ease the transition and give application operators more time to implement a final solution, Google offers the option of opting out of the third-party cookie opt-out via a deprecation trial.
- Further information can be found here:
FAQ
Q: What are the implications for the trust relationships between the Cloud Identity Services and the BTP (Platform & Application IdP)?
A: We assume that every trust relationship must be created anew if this is not automatically implemented by SAP. We therefore recommend ensuring that the cloud.sap domain is already used today when creating trust relationships.
Q: How will SAP itself implement iFrames in the Build Work Zone to keep them in use?
A: This point leaves a lot of room for speculation. It is possible that Google will offer a solution to this problem or that it will be implemented using the Storage Access API.
Common Super Domain
SAP SuccessFactors offers the Common Super Domain feature to mitigate the impact of eliminating third-party cookies. Browser vendors are discontinuing support for third-party cookies to comply with new laws designed to prevent the tracking of browser behavior by advertising companies.
This elimination affects SAP SuccessFactors products. Customers must therefore migrate all SAP SuccessFactors HCM Suite products as well as products such as Learning (LMS), Employee Central Payroll (ECP) and Onboarding 1.0 (ONB1.0).
Effects of the third-party cookie deactivation on SAP SuccessFactors applications
The shutdown mainly affects the UI integration. API and Secure File Transfer Protocol (SFTP) integrations are not affected.
- User authentication and single sign-on (SSO) could be impaired.
- Embedded iFrames, where content is loaded from one of the SAP SuccessFactors products, could not load.
- Internal product integrations of SAP SuccessFactors may not work.
- External partner UI integrations may not work, and corresponding iFrames may not load the content.
Example of the use of the Common Super Domain
Let’s assume that users access SAP SuccessFactors applications directly via the URL performancemanager.successfactors.eu. Different products within the HCM Suite have URLs that end in different domains:
- Learning (LMS): <companyID>.plateau.com
- Onboarding 1.0 (ONB1.0): onboarding4.successfactors.eu
- Workforce Analytics (WFA): analyticspreview.sapsf.com
- Employee Central Payroll (ECP): <systemID>.payroll.ondemand.com
All of these URLs are associated with different domains and are considered third-party providers in the context of the SAP SuccessFactors application URL.
As of 2H 2023 release, SAP SuccessFactors provides an automated solution to help customers and partners migrate from legacy domains to a new Common Super Domain. The URLs would then look like this:
- Learning (LMS): <companyID>.hr.cloud.sap
- Onboarding 1.0 (ONB1.0): onboarding4.hr.cloud.sap
- Workforce Analytics (WFA): analyticspreview.hr.cloud.sap
- Employee Central Payroll (ECP): <systemID>.payroll.hr.cloud.sap
SAP IAS support
SAP IAS can support both ondemand.com and cloud.sap access at the same time, and these are already available.
- The IAS Tenant ID remains the same – i.e. the name under Tenant Settings in the IAS Admin Console does not change.
- For example, if the name is xxxx.xxxx.ondemand.com, it remains unchanged.
- If this tenant name is changed, all applications connected to this IAS would need to update the SAML Issuer Name in each affected application. As many applications may be connected to a single IAS, such a change could have a significant impact on the operation of the connected applications.
- If you can migrate all applications that use SAP IAS for authentication to the same Common Super Domain, you can change the name of the IAS to CSD.
Related articles
- Preparing and testing your solution for the deactivation of third-party cookies
- SAP BTP and the deactivation of third-party cookies
- SAP SuccessFactors Third-Party-Cookies and Common Super Domain Rollout
- Dealing with the deactivation of third-party cookies in Identity Authentication
- Third-party cookies and SAP Analytics Cloud
- SAP SuccessFactors Common Super Domain Migration
Recording of the DSAG SAP online session
A recording of the DSAG SAP online session on this topic can be found here (in German).
