Search code examples
iosmacossafariazure-active-directoryadal

Azure Active Directory Safari Redirection Issue

There seems to be a current issue with logging into Microsoft Online with Mac OS and iOS devices utilizing the newest version of Safari (12).

The updates on Safari 12 are shown here: https://developer.apple.com/safari/whats-new/

Due to some of the new Security and Privacy updates, there seems to be a cookie issue that is causing infinite redirection when logging into the endpoint: http://login.microsoftonline.com

This new update causes Safari on Apple device users to go into a redirect infinite loop when logging in.

This is most likely due to Safari not letting the Microsoft cookie through, which causes Microsoft's servers to redirect back to the login page to get the cookie required. However, the browser still has some identity information which causes the user to automatically log in again, redirecting to the server. The cookie is still not sent along with the request, causing the server to send the user back to the login page. This redirection from server and browser seems to be the main reason behind the infinite redirection.

Is there any update, reasoning, or resolution to resolve/workaround the problem behind the Safari and Microsoft login redirection issue?

Solution

  • There is a solution documented by the aspnet/security team on GitHub.

    https://github.com/aspnet/Security/issues/1864

    If you are using ASP.NET Core Identity you disable the protection by configuring cookies with the following code

    services.ConfigureExternalCookie(options => {
    // Other options
    options.Cookie.SameSite = SameSiteMode.None; }); services.ConfigureApplicationCookie(options => {
    // Other options
    options.Cookie.SameSite = SameSiteMode.None; });

    If you are using cookie authentication without ASP.NET Core identity you can turn off the protection with the following code

    services.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => {
    // Other options
    options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None; })

    If you are using external OIDC providers you may be able to avoid the issue by changing the response mode your provider uses from a POST to a GET request, using the following code. Not all providers may support this.

    .AddOpenIdConnect("myOIDProvider", options => {
    // Other options
    options.ResponseType = "code";
    options.ResponseMode = "query";
};