locked
ADFS 2.0 Web SSO not working in current versions of Safari for Windows or iOS

    Question

  • Our current federation setup is based on an ADFS 2.0 IdP with a number of web-based RPs based on WS-Federation / SAML-P 2.0 Web SSO. We are currently seeking to extend the web SSO federation to mobile devices.

    During testing, we have found that all tested Android and Windows Phone devices (using their respective built-in browsers) works as expected. However, we found that some iPhone devices were prompting for credentials when attempting to switch between RPs. Further research have lead us to the conclusion that the reason for this behavior is a hard limit of 4K for cookie data per domain that is enforced by some versions of Safari – notably the newest versions running on iPhone and iPad, as well as Safari for Windows (v 5.1.5).

    The MSISAuth cookies (of which there are always 3, chunked at 2K, at least with our setup) used by ADFS to “remember” the sign-in session exceeds this limit, causing at least one of chunks to be dropped by Safari. When the users browser returns to the IdP to extend the web sso to subsequent RPs, the session cannot be deserialized, and ADFS prompts for re-authentication.

    Safari 3.1, the version tested by Microsoft at the time of ADFS 2.0 RTW (http://technet.microsoft.com/en-us/library/ff678034%28v=ws.10%29.aspx ), did not impose these limits, and is therefore not affected by this issue.

    Exact steps to reproduce:

    1. Configure ADFS 2.0 with two web-based WIF RPs, RP1 and RP2.
    2. Using Safari for Windows (v 5.1.5) (or Safari for iPhone), browse RP1.
      1. Browser is redirect to ADFS 2.0 sign-in page
    3. Sign in
      1. A set of chunked MSISAuth cookies totaling in size past 4K is issued for the ADFS sign-in site.
      2. A token is POSTed to RP1, completing authentication for RP1
    4. Browse RP2.
      1. When the ADFS sign-on page is requested, at least one of the MSISAuth cookie chunks is missing and the web sso session cannot be deserialized.

    Actual behaviour

    The user is prompted to authenticate

    Expected behavior:

    A token should be POSTed to RP2 with no user intervention

    This issue has been raised a couple of times on this forum already, but no workable solutions or workarounds have been found:
    http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/6a56e279-ce5a-4ae4-8ef3-dec5c067d334
    http://social.msdn.microsoft.com/Forums/en/Geneva/thread/5fb2e2f5-0d3a-416a-9638-919495a58436

    And of course, for the RP cookies, the solution is to use session mode for the cookies. However, this does not seem to be possible for the MSISAuth cookies:
    http://blogs.msdn.com/b/vbertocci/archive/2010/05/26/your-fedauth-cookies-on-a-diet-issessionmode-true.aspx
    http://social.msdn.microsoft.com/Forums/en/Geneva/thread/dc1e178f-46ab-4567-88b8-1f2541744908

    As such, my questions are:

    -       Is there any way to affect the size of the MSISAuth cookies, as to reduce their size to less than 4K total? (like the session mode of WIF, or through other means)?

    -       Does Microsoft support ADFS 2.0 web sso federation with current version Safari browsers on the desktop and on mobile devices? (if so, I believe this behavior is a bug)

    Monday, April 16, 2012 1:35 PM

Answers

  • There is not very good documentation on the MSISAuth cookies so it is difficult to know what to do in this case.

    I have tried manually removing/editing the MSISAuth cookies from a global.asax customization but I could not ever get it to work properly. I think some tampering protection in ADFS made this more difficult.

    I was thinking if there was some way of logging the cookies and then sending a guid back to the mobile client that could be used to recreate the cookies this might be a solution. I have not tried this before. This would be a similar approach to the one documented for WIF at http://social.msdn.microsoft.com/Forums/en/Geneva/thread/dc1e178f-46ab-4567-88b8-1f2541744908.

    I wonder if there is a browser setting to override the 4K max.

    Thanks, 


    If this answers your question, please use the "Answer" button to say so | Ben Cline

    Wednesday, April 18, 2012 4:18 PM

All replies

  • There is not very good documentation on the MSISAuth cookies so it is difficult to know what to do in this case.

    I have tried manually removing/editing the MSISAuth cookies from a global.asax customization but I could not ever get it to work properly. I think some tampering protection in ADFS made this more difficult.

    I was thinking if there was some way of logging the cookies and then sending a guid back to the mobile client that could be used to recreate the cookies this might be a solution. I have not tried this before. This would be a similar approach to the one documented for WIF at http://social.msdn.microsoft.com/Forums/en/Geneva/thread/dc1e178f-46ab-4567-88b8-1f2541744908.

    I wonder if there is a browser setting to override the 4K max.

    Thanks, 


    If this answers your question, please use the "Answer" button to say so | Ben Cline

    Wednesday, April 18, 2012 4:18 PM
  • I do not think there is anyting out-of-the-box which can do the cookie replacement, but I have implemented an HttpModule which does this, and it seems to do the trick. So that is going to be the workaround we will be using for now. The basic idea is to register custom code on BeginRequest and EndRequest.

    On EndRequest, I look for any MSISAuth* cookies in the Response.Cookies collection, persist them to backend storage (currently implemented with web farm unfriendly HttpApplication state, but I plan to move to DB storage) and replace them with a "reference key" cookie, using the ID's available in the deserialized SecurityContextToken as key.

    On BeginRequest, I look for an incoming "reference key" cookie in the Request.Cookies collection and swap it with the actual MSISAuth cookies which i previously persisted.

    If anyone is interested in the code, drop me a line or reply to this post, then I will post it somewhere or mail it to you.

    Thanks for pointing my thinking in the right direction Ben :-)

    Friday, April 20, 2012 11:56 AM
  • Sounds very interesting, I never tried building a custom HttpModule. I am interested, could you send the code to joeymaloney [at] hotmail.com, I would like to see how it works.

    Glad you got it working, I know a couple other threads on this forum exist with the same issue.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline

    Friday, April 20, 2012 2:11 PM
  • Hi Michael, I'm very keen to see how you've done this.  I've had a number of discussions over at my ADFS / SalesForce post about this and still haven't got a way forward. Rhys dot Goodwin at gmail or  http://blog.rhysgoodwin.com/about/

    Cheers.
    Rhys

    Friday, May 11, 2012 10:01 PM
  • Rhys, I sent it to you just now. I have not tried it yet.

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline

    Saturday, May 12, 2012 5:34 AM
  • Anyone looked at using SAML Artifact Resolution to resolve this?

    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    Sunday, May 27, 2012 2:16 PM
  • Michael,

    Wondered if you have this working in a load balanced server farm? I would be interested in seeing the code,

    Graciously,

    Charles C.

    Monday, June 11, 2012 5:50 PM
  • David,

    I don't think you understand the problem. It's manifested using Safari and the limit of the cookie size. It has nothing to do with the number or type of artifacts that I've been able to determine.

    Monday, June 11, 2012 9:41 PM
  • Sr Chas JC, I can share the code. I have not tested it yet. Could you share an email address to joeymaloney [at] hotmail.com?

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline


    • Edited by Ben Cline1 Tuesday, June 12, 2012 6:35 PM
    Tuesday, June 12, 2012 6:35 PM
  • Yup I misread.

    My understanding is that MSFT knows about this issue but doesn't yet have a solution.


    David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html

    Wednesday, June 27, 2012 10:02 PM
  • Hi Michael C,

    Could you please share this code with me? Our application using ADFS 2.0 is having same issue using through iPhone and Safari (v 5.1.1) browser. Thanks in advance!

    My email-id: manoharagsm[at]hotmail.com

    Monday, August 27, 2012 10:04 AM
  • Hi Ben,

    Could you please share this code with me? Is this approach tested and worked as expected? Our application ADFS 2.0 is having same issue using through iPhone and Safari (v 5.1.1) browser. Thanks in advance!

    My email-id: manoharagsm[at]hotmail.com

    Monday, August 27, 2012 10:07 AM
  • Please email me the solution too, my email address is bill.sun@hoganlovells.com
    Monday, September 24, 2012 5:52 PM
  • Ok sure I will send it to you too Bill

    If this answers your question, please use the "Answer" button to say so | Ben Cline

    Monday, September 24, 2012 8:23 PM
  • Hi Ben,

    Could you please send me the solution code as well. We are facing the exact same issue on our project. My email address is andre.pato@gmail.com

    Many thanks in advance,

    Cheers,

    André

    Tuesday, September 25, 2012 3:25 PM
  • Hi Michael,

    I would be very interested in the code as we are having similar issues. My mail is troels@it-kartellet.dk.

    Regards Troels

    Monday, October 29, 2012 4:16 PM
  • I have added the the code to my project. And changed the web.config

       add name="MsisAuthCookieDietModule" type="MsisAuthCookieDietModule"

    However, I could not get the MSISAuth or MSISAuth1 cookies.  I can get FedAuth, FedAuth2 cookies. I checked with Fiddler, there are MSIAuth and MISAuth1 cookie there.

    Please help.

    Bill

    • Proposed as answer by Kees de Wit nl Sunday, January 6, 2013 10:31 AM
    • Unproposed as answer by Kees de Wit nl Sunday, January 6, 2013 10:31 AM
    Monday, December 3, 2012 7:38 PM
  • Another option is to make your own implementation of public abstract class Microsoft.IdentityModel.Web.CookieHandler. You can specify the custom cookiehandler in the wif configuration: http://msdn.microsoft.com/en-us/library/hh568659.aspx

    This way you don't need to use session to store the data.

    Sunday, January 6, 2013 11:01 AM
  • Hello Ben,

    please send me this code taheito86[at]gmail.com

    also have you tested it ?

    thanks allot in advance

    Wednesday, January 9, 2013 9:55 AM
  • Ok I will send it. I have personally not tested it. I am the souce code steward. :)

    If this answers your question, please use the "Answer" button to say so | Ben Cline

    Tuesday, January 15, 2013 7:08 PM
  • Hello Bill, 

    did you managed to get this code working, we still have your problem if you can help will be much appreciated 

     

    Tuesday, January 15, 2013 9:46 PM
  • Hi Michael,

    I am having a similar situation here. Could you please share the code with me. It is not a mobile application, but when users are trying to access our ADFS enabled application they are getting a "400: request header too long" error, and i think it is the Auth cookie size that is increasing the request header length. And thinking your code might help. My email is mallipeddi.radhika@gmail.com

    Thank you

    Radhika

    Wednesday, January 23, 2013 7:33 PM
  • Hey, I will send it in a little while today. Good luck with it!

    Ben


    If this answers your question, please use the "Answer" button to say so | Ben Cline

    Wednesday, January 23, 2013 7:57 PM
  • Thank you Ben
    Wednesday, January 23, 2013 8:13 PM
  • Hi Ben,

    Could you please also send me the code at ubi @ live.com.au

    Friday, January 25, 2013 12:26 AM
  • As a (late) follow-up to my own question, my company has just agreed to release the source code for the HttpModule to reduce cookie size as open source (BSD license).

    You can find it on github:
    https://github.com/VFL-IT/AdfsCookieDiet

    The code has interop problems with SAML-based RPS using HTTP POST binding, but is currently running on our production ADFS 2.0 site (integrating 20+ RPs using technologies like SimpleSamlPHP, OIOSAML.Java and WIF)


    Monday, February 4, 2013 1:55 PM
  • Hello Michael, 

    i was having a meeting with Apple today regarding the same subject and they are saying " IT IS NOT OUR PROBLEM, IT IS MICROSOFT. GO TO THEM" so please can you invest sometimes with us and share with us how to deploy this code?  coz i deployed the last code and it didn't work

     


    • Edited by Taheito Monday, February 4, 2013 2:07 PM
    Monday, February 4, 2013 2:03 PM
  • Hey Michael thanks for posting your code on github!

    Thanks,


    If this answers your question, please use the "Answer" button to say so | Ben Cline

    Tuesday, February 5, 2013 9:04 PM
  • Hello Ben,

    did you tried it ? i tried the old code and it did not work. can you please guys help us with some few steps on how to implement this code ?


    Tuesday, February 5, 2013 9:18 PM