Azure active directory safari redirection issue

Question

Azure active directory safari redirection issue

Sarah 161

There is a problem accessing my webapp on iOS(safari and chrome browsers). Works well on android devices(chrome browser) and windows without any redirection problem.

When I use iOS devices, it causes redirection back to login page from home page, after signing in. Like, AAD Login -> Homepage(redirects back to login) -> AAD Login -> Homepage(properly logged in with no further redirection, at this point). It always signs in properly after second sign in, as stated. I would appreciate if anyone could provide input on this.

iOS version:15.2.1 and 15.3.1

Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2022-02-18T01:09:31.92+00:00

Hi @Sarah ,

As I mentioned in the other thread there are some issues with Safari's compatibility on Apple's side, but I'm looking into whether anything may have changed since then. If cookies are blocked by the browser, that can cause the looping issue. https://github.com/AzureAD/azure-activedirectory-library-for-js/issues/451

Do you know which iOS version this is?

One issue seems to that Apple is not properly sending cookies to login.microsoftonline server due to some privacy and security updates. This blog post provides a workaround of configuring CookiePolicyOptions along with the Cookie.SameSite policy.
Sarah 161 Reputation points

2022-02-18T14:15:40.187+00:00

Hi @Marilee Turscak-MSFT ,

iOS version:15.2.1 and 15.3.1

Thank you for the blog post link. I noticed that from your previous post and tried but problem still exists in my case.
Sarah 161 Reputation points

2022-03-03T06:47:36.03+00:00

You are correct. Safari is not sending third-party cookies anymore since they introduced Privacy Preference: "Prevent cross-site tracking" (which is turned on by default). Even if we set our cookies with SameSite=None; Secure; they still don't be set and sent cross-domain. So SameSite=None is still treated as SameSite=Strict. Since safari is not letting the Microsoft cookie through, this causes Microsoft's servers to redirect back to the login page to get the cookie required. The only solution that works rite now is turning off "Prevent cross-site tracking" on safari settings. Please keep us informed if you find any update on Azure AD iOS compatibility. Thank you.

2 answers

Your answer

Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2022-02-18T01:09:31.92+00:00

Hi @Sarah ,

As I mentioned in the other thread there are some issues with Safari's compatibility on Apple's side, but I'm looking into whether anything may have changed since then. If cookies are blocked by the browser, that can cause the looping issue. https://github.com/AzureAD/azure-activedirectory-library-for-js/issues/451

Do you know which iOS version this is?

One issue seems to that Apple is not properly sending cookies to login.microsoftonline server due to some privacy and security updates. This blog post provides a workaround of configuring CookiePolicyOptions along with the Cookie.SameSite policy.
Sarah 161 Reputation points

2022-02-18T14:15:40.187+00:00

Hi @Marilee Turscak-MSFT ,

iOS version:15.2.1 and 15.3.1

Thank you for the blog post link. I noticed that from your previous post and tried but problem still exists in my case.
Sarah 161 Reputation points

2022-03-03T06:47:36.03+00:00

You are correct. Safari is not sending third-party cookies anymore since they introduced Privacy Preference: "Prevent cross-site tracking" (which is turned on by default). Even if we set our cookies with SameSite=None; Secure; they still don't be set and sent cross-domain. So SameSite=None is still treated as SameSite=Strict. Since safari is not letting the Microsoft cookie through, this causes Microsoft's servers to redirect back to the login page to get the cookie required. The only solution that works rite now is turning off "Prevent cross-site tracking" on safari settings. Please keep us informed if you find any update on Azure AD iOS compatibility. Thank you.

Answer 1

Hi @Sarah

@Marilee Turscak-MSFT 's comment is correct. And I find a soultion documented by the aspnet/security team on GitHub..

You can try below methods to solve your issue.

1. If you are using ASP.NET Core Identity you disable the protection by configuring cookies with the following code

services.ConfigureExternalCookie(options => {  
    // Other options  
    options.Cookie.SameSite = SameSiteMode.None; }); services.ConfigureApplicationCookie(options => {  
    // Other options  
    options.Cookie.SameSite = SameSiteMode.None; });

2. If you are using cookie authentication without ASP.NET Core identity you can turn off the protection with the following code

services.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => {  
    // Other options  
    options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None; })

3. If you are using external OIDC providers you may be able to avoid the issue by changing the response mode your provider uses from a POST to a GET request, using the following code. Not all providers may support this.

.AddOpenIdConnect("your_OIDProvider", options => {  
    // Other options  
    options.ResponseType = "code";  
    options.ResponseMode = "query";  
};

If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Best Regards,
Jason

Sarah 161 Reputation points

2022-02-18T14:22:32.093+00:00

Hi @Anonymous ,

Thank you, I tried setting same site cookie to none. but iOS is not letting third-party cookies since they introduced Privacy Preference: "Prevent cross-site tracking" (which is turned on by default). So SameSite=None is still treated as SameSite=Strict (since prevent cross site tracking is on by default).
abdelmonem wijlini 1 Reputation point

2022-04-14T00:27:06.85+00:00

This didn't work @Sarah (deactivating "Prevent cross-site tracking" in settings of Safari in IOS) are you sure about what you're saying ?
Chris Spanellis 26 Reputation points

2023-10-24T19:16:27.2033333+00:00

Would this issue remain if we use a custom host/domain for the B2C login that matches the site that originates the redirect??

Answer 2

Sechaba Tomodi 1

@Sarah @AmanpreetSingh-MSFT

Is there a workaround regarding this issue as if affects most companies using Microsoft Product that can be implemented in AD B2C policies and Angular? Any latest update?

abdelmonem wijlini 1 Reputation point

2022-04-20T15:30:01.317+00:00
try to remove ExpireTimeSpan option from ConfigureApplicationCookie

builder.Services.ConfigureApplicationCookie(options => { options.ExpireTimeSpan = TimeSpan.FromMinutes(30); });

I think there is an issue related to this option with Safari ... Safari broke the cookie if you set the ExpireTimeSpan value....

In my case i'm using ASP .NET CORE 6 with Microsoft Identity i have lost days and days to figure out that issue

Share via

Azure active directory safari redirection issue

2 answers

Your answer