As an Update:
I managed to get this working both from iframe as well as direct connection. I believe there is an issue with the CSRFCookieListener.php file which is where I worked around the problem.
I am not a developer nor do I understand PHP code, however while troubleshooting, I was reading an article that referenced the need to define a $event->getResponse that would contain the trusted URL’s in order to define the appropriate cookie. I didn’t see that in the php file but honestly I don’t know what i am looking for. Is this not something that would get picked up from the config. I have the trusted sites defined in the config.php
However for now, by way of a workaround, I discovered that line 130 has a setting Cookie::SAMESITE_LAX.
Change this to SAMESITE_NONE.
This will set the cookie in both 3rd party cross-site iframe and 1st party cookie to None.
I will add that I also made changes to the vendor/symfony/http-foundation/Cookie.php and changed the following values as seen below
$data = [
'secure' => true,
'samesite' => 'none',
'partitioned' => true,
The problem will become that an upgrade will break this again unless it gets addressed.
Does anyone have any experience or thoughts on the issue or perhaps what I may be configuring incorrectly ?
Thanks