Our punchout customers are requiring us to keep our punchout catalog in a frame within their procurements systems. We have been told that Optimizely does not support this functionality as it causes conflict with their authentication API. We ask that this be reviewed and an update put in place to support framing of the punchout catalog.
The proposed work around was to "pop-out" the catalog. We do have the pop-out solution in place for our customers to access our catalog, but it is putting us in violation of their compliance requirements of our punchout. From one of our customers: "The behavior of the punchout is against our system policy and controls. Normally we would shut off catalogs with such non-compliant behavior. Alternate work arounds could be the move to a static catalog. "
Based on feedback from our punchout customers (all on Ariba), the current fix in place is no longer “valid as a long-term solutions” as noted in the response from Epi from 2020. Moving to a static catalog creates a lot of manual work and reduces the use of our online catalog and is not the path we want to go down.
Here is the previous stance from Epi:
2/20/2020 Update
Previously, we communicated that Episerver would provide an update to Epi B2B Commerce versions 4.5 and 4.6 to set SameSite cookies as “None; Secure” to allow the ability to render Epi B2B Commerce inside an iframe in some procurement platforms. After discussion with internal engineering team members and external PunchOut partners, including Punchout2Go, Supplier Solutions, and Greenwing, we decided not to proceed with these updates for the following reasons:
• Epi B2B Commerce 4.5 and previous SDKs use .NET versions earlier than 4.7.2, which is the version needed to set this flag on SameSite cookies as “None; Secure”, so it's not possible to issue a fix for these versions of the platform. Please see this article for information on the .NET Framework and how it handles SameSite cookies.
• Episerver could update Epi B2B Commerce 4.6 to set SameSite cookies as “None; Secure”, but this would impact the upcoming 5.0 release, which changes the way our commerce APIs authenticate. This new version of Epi B2B Commerce will use SameSite cookies, so setting these cookies to None, rather than Lax or Strict, would limit the functionality within our APIs.
• All of Insite's PunchOut partners have solutions in place to solve for this issue, which doesn't require Episerver to perform further development or deployments.
All Episerver PunchOut partners confirmed their fixes, which should already be implemented on your sites, are valid as long-term solutions. Episerver recommends reaching out to your PunchOut partner if you haven't done so yet.
2/13/2020 Notice
Google recently released Chrome 80, which changed how the browser handles cookies that are not secure with the SameSite=None attribute. This change may impact Epi B2B Commerce customers who integrate with PunchOut.
If Epi B2B Commerce websites render in Iframes through procurement platforms like Ariba or Jaggaer, Chrome 80 will not save the users' cookies. Instead, Epi B2B Commerce renders as if users are not logged in, and they cannot successfully complete their PunchOut sessions.
Episerver is working on updating Epi B2B Commerce Cloud and SDK versions 4.5 and 4.6 to set the flags Chrome 80 expects for secure cookies for websites rendered in Iframes. Until Episerver deploys this fix, we recommend reaching out to your PunchOut solutions partner. All of Episerver’s certified PunchOut partners have workarounds for rendering Epi B2B Commerce within Iframes. The workarounds may impact your customers by rendering your Epi B2B Commerce website in a pop-up window rather than an Iframe, but their shopping experience should otherwise remain the same.
Episerver will post another update indicating when we will deploy the fix for Epi B2B Commerce Cloud and SDK versions 4.5 and 4.6. We will also share how to fix this issue in earlier Epi B2B Commerce SDK versions.
Note: We will be implementing a fix for supported versions lower than 4.5 in the near future.
