question

ThusharaManchanayake-1496 avatar image
0 Votes"
ThusharaManchanayake-1496 asked DmitriiGrunin-2270 published

SSO in IOS with Safari browser

Hi,

We have web and mobile clients setup with Azure B2C. When we tested SSO on android device with Chrome browser, it works perfectly. It doesn't ask to provide credential at Mobile app when we have logged in web app. But when we tested same with IOS device with Safari default browser, it asks to provide credential again. Could someone please guide me to get it working on IOS device too.

Thanks,
Thushara Manchanayake.

azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MarileeTurscak-MSFT avatar image
1 Vote"
MarileeTurscak-MSFT answered DmitriiGrunin-2270 published

There are some known issues with Azure AD's Safari compatibility, but the product team has previously stated that the problem is on the Apple product side. The last I heard about this issue, the status is that the Apple team and Microsoft's PG team are working on it but there is nothing that the Microsoft development team can do because there is nothing wrong on Microsoft's side. The issue is that Apple is not properly sending cookies to login.microsoftonline server because of some privacy and security updates.

There is a workaround in this blog post that may help.

In the meantime, I will check back with the product team to see if there has been an update around this problem as the original issue was quite old and I'm not sure if your issue is the same (though it does sound similar given your description of the redirection).


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MarileeTurscak-MFST I would like to know if there was any update from the product team regarding redirection(Azure AD's Safari compatibility) issue? thank you.

0 Votes 0 ·

@MarileeTurscak-MSFT could you please validate if there any options to overcome this issue? and if was resolved or not

0 Votes 0 ·
ThusharaManchanayake-1496 avatar image
0 Votes"
ThusharaManchanayake-1496 answered

Hi,

Thank you for quick reply.

We are not using ASP.net core to setting up OIDC and we are not having login redirection loop.

Basically we have Angular client application and Mobile client application, which uses same Azure B2C tenant to login in. Those two different clients are having two different client Ids.

Angular client uses MSAL-Angular package to login via Azure B2C.

Mobile application is doing redirection to https://{tenentId}.b2clogin.com/{tenentId}.onmicrosoft.com/b2c_1_signin/oauth2/v2.0/authorize?redirect_uri={mobile-application-scheme}%3A%2F%2Foauth%2Fredirect&client_id={clientId}&response_type=code&state=WKlrRSK5bKGkaxPqOw0Awg&scope=995d4839-c454-48c2-bb07-345af183163f%20openid%20offline_access%20profile&code_challenge={code_challenge}&code_challenge_method=S256 to login in and to get Auth Code

Problem that we having is, in IOS device, while user have logged into Angular client on Safari browser, when that user tries to login into IOS application via same B2C login via Safari browser, it asks to provide credential again. When we executed same steps in Android with Chrome browser it doesn't ask credential and it does redirection to mobile app with token. It seems like B2C browser session is not shared in between apps in Safari.

I hops this explain you the problem that we having.

Thanks
--Thushara--

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AzamFahmy-7442 avatar image
0 Votes"
AzamFahmy-7442 answered AzamFahmy-7442 edited

We had a similar issue with a ReactJS App. We overcame it by opting to use a redirect flow over a pop-up flow. This way the browser session is not lost as with a pop-up. This only requires a small configuration change in your app's Microsoft Login Agent.

 msalInstance.loginRedirect()

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.