Google has announced that it will end support for third-party cookies (3PC) in Chrome by the second half of 2024. This is part of a larger initiative, the so-called “Privacy Sandbox”, which aims to improve user privacy while enabling relevant advertising. The end of 3PCs has far-reaching implications that will also affect the SAP world, among others.
At the same time, SAP is pursuing the goal of establishing a uniform domain for its cloud applications, which will lead to a harmonization of the various modules. This blog provides information on the background, the most important information and possible solutions for this upcoming change.
In the digital world, cookies are an essential part of surfing the internet. They not only enable user settings to be saved, but also allow user activity to be tracked across different websites. However, this ability will soon be limited.
Cookies can potentially be used to track user activity without their knowledge, leading to privacy concerns.
The end of 3PCs has far-reaching implications for digital marketing and the advertising industry, as it changes the way user tracking and personalized advertising work.
The Privacy Sandbox initiative has several key objectives:
The deactivation of third-party cookies has far-reaching technical and operational consequences:
Integration of external content
If content from external sites, such as via iFrames (often the case with Build Work Zone), is integrated, these external sites can also write cookies. This currently allows tracking across different pages, which is important both for advertising purposes and for the user experience.
SSO and cross-platform functionalities
Single Sign-On (SSO) allows users to access different, independent systems with a single login. This functionality often depends on third-party cookies. As soon as these are switched off, SSO will no longer work as usual across different platforms.
API accesses and session cookies
Many applications use session cookies to access protected resources via APIs. Disabling third-party cookies could also affect these accesses.
Are API integrations affected?
There was confusion about the impact on API integrations. Some sources say: “The shutdown only affects UI integration. API and Secure File Transfer Protocol (SFTP) integrations are not affected.”
So what is true?
Although the shutdown mainly affects UI integration, companies should be cautious. If APIs use session cookies and these are used across different domains, they could still be affected. It is therefore advisable to check all integrations and ensure that they are not dependent on third-party cookies.
SAP has begun the process of creating a unified domain for its cloud applications, starting with SuccessFactors. Until now, different modules such as LMS, Onboarding and BizX have used different domains. The aim is to harmonize these under the uniform cloud.sap domain.
This change is also expected to be implemented in other SAP cloud systems from 2025, so that all applications use the same domain. Administrators can already choose the domain under which the service should be accessible in SAP BTP, either ondemand.com or cloud.sap. If you are now in the process of establishing a BTP service, we strongly recommend that you already use the cloud.sap domain to avoid later migrations.
In connection with the services offered by SAP, such as SuccessFactors, it is important that the metadata for SAML2 is exchanged again between the SAP Cloud Identity Services Tenant and the service as soon as these changes are implemented.
OpenID Connect (OIDC) is also not unaffected by these changes. In the course of domain harmonization by SAP, redirect URIs should be adapted to the new cloud.sap domain. This ensures that the authorization and token requests are forwarded correctly to the central domain.
Systems that use the SAP APIs to read or write data from SAP Services or BTP could be affected by these changes. At the time of migration, ensure that you have identified all systems that may be accessing or moving towards BTP and its SaaS solutions and then migrate all your systems one by one. This will ensure that authentication continues to work smoothly.
One of the proposed solutions is the use of CHIPS (Cookies Having Independent Partitioned State). With CHIPS, cookies can only be used on the page on which they were set and not across multiple pages. In addition, the Storage Access API enables unpartitioned cookies to be used in all embeddings as if they had been set in the top-level context.
Current information:
To test the effects of Google’s third-party cookie deactivation, companies should use the special version of Chrome for Testing. This version makes it possible to simulate the changes and identify and resolve potential problems at an early stage.
Companies can use Chrome Enterprise Policies to allow cookies for specific pages.
Important: However, this is only a temporary solution and only buys time! This function will also be switched off in the coming quarters after Q1 2025.
Another strategy is to implement the unification of all integrations under a common domain, which avoids the challenges of third-party cookie deactivation, as no “third-party” cookies are created, but everything is unified under one domain.
Examples:
The deactivation of third-party cookies by Google and the harmonization of SAP cloud domains represent significant changes that will affect many existing systems and applications. Companies need to act now and implement appropriate strategies and solutions to ensure that their services continue to function seamlessly.
They can prepare for these changes and adapt their systems by using tools such as Chrome for Testing and implementing technologies such as CHIPS and the Storage Access API.
Organizations should begin immediately to determine the impact of the 3PC shutdown on their applications and take appropriate action. Use the tools and technologies provided to prepare for these significant changes. Monitor developments and stay informed to ensure that your systems and applications continue to function optimally, even after Google shuts down third-party cookies and harmonizes SAP cloud domains.
Note: To ease the transition and give application operators more time to implement a final solution, Google offers the option of opting out of the third-party cookie opt-out via a deprecation trial.
Q: What are the implications for the trust relationships between the Cloud Identity Services and the BTP (Platform & Application IdP)?
A: We assume that every trust relationship must be created anew if this is not automatically implemented by SAP. We therefore recommend ensuring that the cloud.sap domain is already used today when creating trust relationships.
Q: How will SAP itself implement iFrames in the Build Work Zone to keep them in use?
A: This point leaves a lot of room for speculation. It is possible that Google will offer a solution to this problem or that it will be implemented using the Storage Access API.
SAP SuccessFactors offers the Common Super Domain feature to mitigate the impact of eliminating third-party cookies. Browser vendors are discontinuing support for third-party cookies to comply with new laws designed to prevent the tracking of browser behavior by advertising companies.
This elimination affects SAP SuccessFactors products. Customers must therefore migrate all SAP SuccessFactors HCM Suite products as well as products such as Learning (LMS), Employee Central Payroll (ECP) and Onboarding 1.0 (ONB1.0).
The shutdown mainly affects the UI integration. API and Secure File Transfer Protocol (SFTP) integrations are not affected.
Let’s assume that users access SAP SuccessFactors applications directly via the URL performancemanager.successfactors.eu. Different products within the HCM Suite have URLs that end in different domains:
All of these URLs are associated with different domains and are considered third-party providers in the context of the SAP SuccessFactors application URL.
As of 2H 2023 release, SAP SuccessFactors provides an automated solution to help customers and partners migrate from legacy domains to a new Common Super Domain. The URLs would then look like this:
SAP IAS can support both ondemand.com and cloud.sap access at the same time, and these are already available.
A recording of the DSAG SAP online session on this topic can be found here (in German).
You are currently viewing a placeholder content from Vimeo. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from YouTube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Facebook. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from hCaptcha to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from Turnstile to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Hubspot Meetings. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Instagram. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from X. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information