none
WIF and Safari (iOS) RRS feed

  • Question

  • Hi, I am really hoping someone may be able to help me out. I am currently experiencing an issue with a new release of software which is basically a asp.net webforms solution which is secured using WIF (Windows Identity Foundation). As you would expect we have an STS and relying parties however the issue is presenting with our website relying party. We are running in a passive scenario whereby our passive sts and relying party site XX are running under the same domain name. So if you want to access site XX you will be redirected to passive sts site and once authenticated bounced back to the site XX.

    This all works great with IE, Firefox, Chrome on windows machines, it works on various browsers for android devices however we get differing behaviour on iOS devices. The first and main issue is that on iPads and iPhones running safari once the user authenticates at the passive sts and is redirected to site XX. They are straight away redirected back to passive sts.

    We don't have access to a lot of apple devices to help with our diagnostics so it is proving very difficult for us to diagnose how to resolve this issue. I am thinking the cookies FedAuth are being dropped or truncated but we have added the following elements to try and reduce cookie size

    <cookieHandler requireSsl="true" mode="Chunked"> 
    
    <chunkedCookieHandler chunkSize="1000"/>
    
     </cookieHandler>
    
    

    Any help on this issue would be hugely appreciated - its driving my development team madAre there any known issues with Safari and WIF - I read a couple of posts around the net about known issues but no real answers.<o:p></o:p>

    Friday, October 14, 2016 9:12 AM

All replies

  • From Dell's STS configuration document, it said this will only work for Safari when isSessionMode of passiveFedration node is set to true.

    http://support-public.cfm.software.dell.com/939_delloneidentityauthorizationpolicyserversts_4.5.2_configurationreferenceguide.pdf (page 27)

    isSessionMode Attribute indicating if One Identity Authorization Policy Server STS’s cookies should
    be stored at the server, to reduce cookie size.
    NOTE: Safari® will only work with this setting enabled. Other browsers are more
    forgiving.

    Friday, October 14, 2016 11:30 AM
    Answerer
  • Thanks for the reply cheong00

    We are using 4.5 .net and the isSessionMode property is now depreciated replaced with isReferenceMode we were aware of this techniwue and are going to give this a go to test  it works but didn't want to go down this route as we wanted to run across multiple servers and processes and have session running inProc.

    Any other advice is still appreciated if anyone has experience in this area.

    It seems strange that WIF will not work unless running without the cookies !

    Friday, October 14, 2016 11:47 AM
  • I don't know, maybe you can make webservice between the sites to be called by the login page to set the STS token value across the servers. (Much like how Paypal gives you a webservice to be called by your code-behind to verify transaction status when the user is redirected back from the payment page. It is possible to use custom session identifier for create and accessing sessions)

    Make good use of VS's remote debugging function to check how the session state is maintained in WIF. Unfortunately my company does not have WIF so I cannot verify that for you. Try suggesting it to your development team to see if anyone is interested in figuring out how to make it work.

    Friday, October 14, 2016 4:45 PM
    Answerer