MSAL iOS authentification & web SSO (SAML) in Safari not working

Question

MSAL iOS authentification & web SSO (SAML) in Safari not working

Maxime D 0

Hi,

We have integrated the MSAL library into our native iOS and Android applications, and want to reuse the login information in web authentication (SAML).

On Android, when you connect to the native application via MSAL and then go to the website (https://samltestapp2.azurewebsites.net/SP) , we are automatically authenticated, which is the expected behavior.

On iOS, when you connect to the application and then launch Safari, authentication is requested again when it should reuse the information entered on the application.

We have also tested with the "B2C Sample for Apple iOS in Swift" and the problem is also present. How to have a connection in the iOS application that can be reused by Safari?

Thanks for your help

Maxime

Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-04-03T07:01:38.5066667+00:00

@Maxime D

Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer" and "share you feedback (Yes/No)". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

1 answer

Your answer

Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-04-03T07:01:38.5066667+00:00

@Maxime D

Hope you got a chance to review the action plan suggested below. Please do let me know if you have any queries in the comments section. If you don't have any further queries and the suggestion works as per your business need. Please "Accept the answer" and "share you feedback (Yes/No)". This will help us and others in the community as well.

Thanks,

Akshay Kaushik

Answer 1

Akshay-MSFT 17,961 Microsoft Employee Moderator

@Maxime D

Thank you for posting your query on Microsoft Q&A.

Web browsers are required for interactive authentication. By default, the MSAL library uses the system web view. During sign-in, the MSAL library pops up the iOS system web view with the Azure AD B2C user interface.

In the Customize browsers and WebViews for iOS/macOS article this could be due to Cookie sharing and SSO implications

User's image

For SSO to work on iOS, tokens need to be shared between apps. This requires a token cache, or broker application, such as Microsoft Authenticator for iOS.

However in case of android SSO implications By default, applications integrated with MSAL use the system browser's Custom Tabs to authorize. Unlike WebViews, Custom Tabs share a cookie jar with the default system browser enabling fewer sign-ins with web or other native apps that have integrated with Custom Tabs.

Action Plan: Kindly validate if you are using SFSafariViewController or ASWebAuthenticationSession (Note: SFAuthenticationSession has been deprecated by Apple)

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes/No), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.

Maxime D 0 Reputation points

2023-04-03T14:54:55.0466667+00:00

@Akshay-MSFT Thanks for your answer.

We do use the ASWebAuthenticationSession (default mechanism on iOS 16 and we do have the connection authorization popup via "b2clogin")

but when we launch Safari on the SAML test site, or an SFSafariViewController via our application, we are systematically obliged to reconnect.

However, the documentation indicates that SSO is possible without a token cache/broker.

The behavior is also observed on the sample, the connection data entered in the application are never shared with Safari instances

Do you have a solution ?

Thanks for your help
Andreas Nyhrén 10 Reputation points

2023-04-04T14:31:57.1933333+00:00

Hi, what does "This requires ... such as Microsoft Authenticator for iOS" entail? What is the actual requirement for it (SSO w B2C) to work? Other sources, e.g., https://learn.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-macos-ios#sso-through-authentication-broker-on-ios states "Microsoft Authenticator provides SSO for Azure AD registered devices" but how does that work with B2C?
Maxime D 0 Reputation points

2023-04-07T09:06:48.4+00:00

@Akshay-MSFT
Hi, were you able to see my answer and if there was a solution to make the SSO functional ? Thanks, Maxime
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-04-11T06:00:47.9766667+00:00

@Maxime D , Apologies for delay, I am still researching on the latest query. I will get back to you with further inputs after validating this with my resources. Thanks, Akshay Kaushik
Maxime D 0 Reputation points

2023-04-20T16:05:40.4666667+00:00

@Akshay-MSFT
Do you have any news on the resolution of this problem ? Thanks, Maxime
Maxime D 0 Reputation points

2023-04-28T10:07:08.6366667+00:00

@Akshay-MSFT
it's starting to become very blocking for us, the use case is normally standard compared to what is indicated in the documentation, I don't understand why it takes so much time? Thanks, Maxime
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2023-04-28T18:36:01.01+00:00

@Maxime D

Thank you for actively following up on this!

I've reached out to Akshay and some of my other teammates internally and we'll look into your issue as soon as possible.

If you'd like to work closer with our Support Engineers and have an active Azure Subscription ID, please let me know and I'd be more than happy to enable a one-time free technical support request for your subscription to get this issue resolved.

Thank you for your time and patience throughout this issue.
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-05-03T04:11:55.27+00:00

@Maxime D

I was OOF and was not able to respond earlier. This is what I found and could be the solution to using SSO without broker but might need some user interaction:

SSO is achieved through the ASWebAuthenticationSession class. It uses existing sign-in state from other apps and the Safari browser. It's not limited to apps distributed by the same Apple Developer, but it requires some user interaction.

If you use the default web view in your app to sign in users, you'll get automatic SSO between MSAL-based applications and Safari.

As per Supporting Single Sign-On in a Web Browser App you need to Declare the Session Handling Capability

Using the Xcode property list editor, add the ASWebAuthenticationSessionWebBrowserSupportCapabilities key to your web browser’s Information Property List. For the key’s value, create a dictionary that contains the IsSupported key, with a corresponding value of YES.

By declaring this capability, you tell the system that your web browser app handles single sign-on requests. If the user has set your browser as the default, the system routes authentication requests to it.

Please do let me know if you have any further queries.

Thanks,

Akshay Kaushik
Akshay-MSFT 17,961 Reputation points Microsoft Employee Moderator

2023-05-04T05:06:20.75+00:00

@Maxime D ,

Hope you got a chance to review the suggestion above, please do let me know if you have any further queries.

Thanks

Akshay Kaushik

Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.
Maxime D 0 Reputation points

2023-05-05T16:20:18.17+00:00

Hi @Akshay-MSFT
Thank you for your reply, our developer is OOF today, he will check on Tuesday and I will report back following that.
Thanks, Maxime
Maxime D 0 Reputation points

2023-06-23T12:54:34.07+00:00

Hi @Akshay-MSFT @JamesTran-MSFT

Sorry for the delay in response, we had a few emergencies since my last message... We tested a lot of things, and also followed the documentation concerning session handling, but nothing changed... it is still not possible to reuse login information in safari instances

In order to help us unblock the situation, is it possible to benefit from a one-time free technical support request as proposed by @JamesTran-MSFT ? Our subscription id is 1d44a58b-738e-4ebf-83b9-15f1a5db6808

As it stands, it is impossible to migrate our applications to Azure AD B2C given the problems on iOS

Thanks,

Maxime
Maxime D 0 Reputation points

2023-07-03T09:21:30.6533333+00:00

Hi @Akshay-MSFT @JamesTran-MSFT
can you give me a feedback to have access to the support please ?
Thank you,
Maxime
Maxime D 0 Reputation points

2023-07-10T09:09:50.1433333+00:00

Hi @Akshay-MSFT @JamesTran-MSFT

We still haven't heard back, we're trying to migrate to Azure AD B2C but given the difficulties in getting the library to work on basic features, it's very complicated... Can you give us access to support to help us move forward and avoid wasting too much time ?

Thank you,

Maxime

Share via

MSAL iOS authentification & web SSO (SAML) in Safari not working

1 answer

Your answer