LTI with Google Chrome (iframe), Juniper and HTTPS via Nginx

Hello, we are trying to get LTI in Canvas with Juniper working using the native install. We are running LMS/Studio via Nginx on port 443 (HTTPS).

The cookies are reporting SameSite=None and Secure as I found in a bunch of other documentation.

In Chrome on Canvas, we see the embedded sequential block show up, however when we click any of the naviagtion in the block we get the popup stating:

You have been logged out of your edX account. Click Okay to log in again now. Click Cancel to stay on this page (you must log in again to save your work).

In the logs this is what I am seeing:

2020-09-01 04:05:33,561 INFO 22376 [audit] [user 29] models.py:2450 - Login success - user.id: 29
[2020-09-01 04:05:47 +0000] [22376] [INFO] POST /event
[2020-09-01 04:05:47 +0000] [22379] [INFO] POST /courses/course-v1:NLA+IL1010+20_21/xblock/block-v1:NLA+IL1010+20_21+type@sequential+block@aabc642aab3f44ffb7d96af6e3512e81/handler/xmodule_handler/get_completion
[2020-09-01 04:05:47 +0000] [22378] [INFO] POST /courses/course-v1:NLA+IL1010+20_21/xblock/block-v1:NLA+IL1010+20_21+type@sequential+block@aabc642aab3f44ffb7d96af6e3512e81/handler/xmodule_handler/goto_position
2020-09-01 04:05:48,130 WARNING 22376 [django.security.csrf] [user None] log.py:228 - Forbidden (CSRF cookie not set.): /event

So I started trying to track down all of the different CSRF and CORS settings I could and this is what I have

"CORS_ORIGIN_ALLOW_ALL": true,
"CORS_ORIGIN_WHITELIST": ['*'],
    "ENABLE_CORS_HEADERS": true,
"CROSS_DOMAIN_CSRF_COOKIE_DOMAIN": ".online.example.org",
"CROSS_DOMAIN_CSRF_COOKIE_NAME": ".online.example.org",
"CSRF_COOKIE_SECURE": true,
"CSRF_TRUSTED_ORIGINS": ['*'],
    "ENABLE_CROSS_DOMAIN_CSRF_COOKIE": true,

I believe I took this from my server-vars.yml which feeds into /edx/etc/{lms,studio}.yml and /edx/app/edxapp/{lms,cms}.env.json.

We would rather it be embedded instead of having to open in a new window. So any help would be greatly appreciated!

Thank you!

Not sure if this better explains what I am seeing: https://community.canvaslms.com/t5/Developers-Group/Safari-13-1-and-LTI-Integration/ba-p/273051 or if this a different problem coming down the road.

Just a heads up, this works in Google Chrome when Third Party cookies aren’t blocked. Not the default setting in Incognito mode.

Is there any talk/work on creating a workflow for allowing anonymous access to course content via LTI, with the big movement towards not allowing 3rd party cookies without user interaction?