dimanche 26 juin 2016

SAML flow handled incorrectly by Safari Browser working with ADFS?

Here is the scenario - we have SSO enabled for our mobile clients and when they wish to use the SSO Auth process, we spawn a browser process to handle the SAML token generation process. It has been working well until recently where we encountered problems in a specific situation where customers use ADFS and try to sign on from IOS clients. IOS clients use Safari by default so the two players in this scenario are Safari (Apple) and ADFS (Microsoft)

So the sequence starts by browsing to a URL (simplified to https://sso.mycomp.com/!saml2/scg3/sp-sso/post) that is the first url to hit as a part of the SAML flow. The HTML content I receive from this end point is like the one shown below. (I have removed the SAML data for clarity)

<html xmlns="http://www.w3.org/1999/xhtml">
  <body onload="document.forms.samlform.submit()">
    <noscript><p><strong>Note:</strong> No JS, press the Continue to proceed.</p></noscript>
    <form id="samlform" action="https://intranet.mycomp.com/adfs/ls/" method="post">
    <div>
      <input type="hidden" name="SAMLRequest" value”***SAML_REQUEST_DATA_WAS_HERE***”>
      <input type="hidden" name="RelayState" value="default"/>
    </div>
    <noscript><div><input type="submit" value="Continue"/></div></noscript>
    </form>
  </body>
</html>

It basically asks the browser to do a post operation to https://intranet.mycomp.com/adfs/ls/ after the HTML document is loaded by the browser. The body onLoad tag (line #2) and the form action/method tags (line#4) clearly define the operation to perform - i.e post to https://intranet.mycomp.com/adfs/ls/ - after the page is loaded.

But the responses I get from Safari and Chrome browsers are different. On Chrome things work as expected but on Safari, the SSO sequence breaks.

Here is the charles trace from Chrome.

Opration performed on Chrome

Here is the trace from Safari. With the same response, it does a “get”

Operation performed on Safari

Is there a way to overcome this issue or workarounds? Why is Safari not doing a POST and respecting the HTML that was passed to it?

Any information would be helpful.

Versions: Chrome - Version 51.0.2704.103 (64-bit) Safari - Version 9.1.1 (11601.6.17) ADFS - 2.0

Publié par à

Aucun commentaire:

Enregistrer un commentaire

Inscription à : Publier les commentaires (Atom)