Azure Active Directory Safari Redirection Issue

Question

There seems to be a current issue with logging into Microsoft Online with Mac OS and iOS devices utilizing the newest version of Safari (12).

The updates on Safari 12 are shown here: https://developer.apple.com/safari/whats-new/

Due to some of the new Security and Privacy updates, there seems to be a cookie issue that is causing infinite redirection when logging into the endpoint: http://login.microsoftonline.com

This new update causes Safari on Apple device users to go into a redirect infinite loop when logging in.

This is most likely due to Safari not letting the Microsoft cookie through, which causes Microsoft's servers to redirect back to the login page to get the cookie required. However, the browser still has some identity information which causes the user to automatically log in again, redirecting to the server. The cookie is still not sent along with the request, causing the server to send the user back to the login page. This redirection from server and browser seems to be the main reason behind the infinite redirection.

Is there any update, reasoning, or resolution to resolve/workaround the problem behind the Safari and Microsoft login redirection issue?

Answer 1

You are correct. There are some known issues with AAD's Safari compatibility. You can make a new feature request in User Voice or upvote and subscribe to some of the existing ones.

https://support.microsoft.com/en-us/help/2535227/a-federated-user-is-prompted-unexp https://feedback.azure.com/forums/223579-azure-portal/suggestions/34373635-fix-signing-in-in-safari https://feedback.azure.com/forums/223579-azure-portal/suggestions/7513912-does-not-work-well-on-safari-but-works-fine-on-chr

UPDATE: the product team has gotten back and replied that this is an issue on Apple's end. The current status is that the Apple team and Microsoft's PG team are working on it but there is nothing that the Microsoft development team can do because there is nothing wrong on Microsoft's side. The issue is that Apple is not properly sending cookies to login.microsoftonline server because of the new privacy and security updates. https://developer.apple.com/safari/whats-new/

Answer 2

There is a solution documented by the aspnet/security team on GitHub.

https://github.com/aspnet/Security/issues/1864

If you are using ASP.NET Core Identity you disable the protection by configuring cookies with the following code

services.ConfigureExternalCookie(options => {
    // Other options
    options.Cookie.SameSite = SameSiteMode.None; }); services.ConfigureApplicationCookie(options => {
    // Other options
    options.Cookie.SameSite = SameSiteMode.None; });

If you are using cookie authentication without ASP.NET Core identity you can turn off the protection with the following code

services.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => {
    // Other options
    options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None; })

If you are using external OIDC providers you may be able to avoid the issue by changing the response mode your provider uses from a POST to a GET request, using the following code. Not all providers may support this.

.AddOpenIdConnect("myOIDProvider", options => {
    // Other options
    options.ResponseType = "code";
    options.ResponseMode = "query";
};