20

There seems to be a current issue with logging into Microsoft Online with Mac OS and iOS devices utilizing the newest version of Safari (12).

The updates on Safari 12 are shown here: https://developer.apple.com/safari/whats-new/

Due to some of the new Security and Privacy updates, there seems to be a cookie issue that is causing infinite redirection when logging into the endpoint: http://login.microsoftonline.com

This new update causes Safari on Apple device users to go into a redirect infinite loop when logging in.

This is most likely due to Safari not letting the Microsoft cookie through, which causes Microsoft's servers to redirect back to the login page to get the cookie required. However, the browser still has some identity information which causes the user to automatically log in again, redirecting to the server. The cookie is still not sent along with the request, causing the server to send the user back to the login page. This redirection from server and browser seems to be the main reason behind the infinite redirection.

Is there any update, reasoning, or resolution to resolve/workaround the problem behind the Safari and Microsoft login redirection issue?

Frank H
  • 831
  • 1
  • 7
  • 15
  • I'm troubleshooting an issue with Safari and another site. I was hoping this was the cause, however I'm able to login from Sierra and Mohave's Safari 12 as of 10/24/18. Has this been resolved or something? – seizethecarp Oct 24 '18 at 16:40
  • 1
    It is not resolved for me on Safari on iOS 12 - as of 10/25/18. – G_P Oct 25 '18 at 12:19
  • Just wanted a comment next to my previous one to indicate that the workaround in the answer from @BrianReiter works for me – G_P Nov 09 '18 at 11:56
  • i seem to have a regression to this error on safari 13.0.4 on macOS 10.15.2, with i installed yesterday (Dec 15 2019) and instantly this issue come up. – scot Dec 16 '19 at 05:10

2 Answers2

15

You are correct. There are some known issues with AAD's Safari compatibility. You can make a new feature request in User Voice or upvote and subscribe to some of the existing ones.

https://support.microsoft.com/en-us/help/2535227/a-federated-user-is-prompted-unexp https://feedback.azure.com/forums/223579-azure-portal/suggestions/34373635-fix-signing-in-in-safari https://feedback.azure.com/forums/223579-azure-portal/suggestions/7513912-does-not-work-well-on-safari-but-works-fine-on-chr

UPDATE: the product team has gotten back and replied that this is an issue on Apple's end. The current status is that the Apple team and Microsoft's PG team are working on it but there is nothing that the Microsoft development team can do because there is nothing wrong on Microsoft's side. The issue is that Apple is not properly sending cookies to login.microsoftonline server because of the new privacy and security updates. https://developer.apple.com/safari/whats-new/

Marilee Turscak - MSFT
  • 7,367
  • 3
  • 18
  • 28
  • 2
    Edited the post with an update from the product team. I will continue to update this thread when information is released. – Marilee Turscak - MSFT Oct 03 '18 at 21:01
  • Does anybody know if there is any way to track this issue on Apple's side to see if/when a resolution is coming? – G_P Oct 24 '18 at 13:39
  • or alternatively, what are some approaches to workaround this issue? – G_P Oct 24 '18 at 13:45
  • has there been any movement on this since your last update? Thanks! – G_P Nov 06 '18 at 13:26
  • So, because it's not an MSFT issue, our apps that uses AAD won't work for IOS 12 users? The suggested fixes above are not working for ASPNET CORE / Azure AAD and that's it? Nothing we can do about it? – Thiago Custodio Nov 22 '18 at 14:28
  • @ThiagoCustodio I found a blog post about this issue that has some user comments - thought I'd share it just in case: https://hajekj.net/2018/08/31/beware-of-samesite-cookie-policy-in-asp-net-core-and-upcoming-ios-12/ – G_P Jan 10 '19 at 20:28
  • thanks, I saw that one when I was dealing with this issue. – Thiago Custodio Jan 10 '19 at 21:45
  • @ThiagoCustodio were you able to get it to work for ASPNET CORE / Azure AAD – Sarahrb Feb 14 '22 at 11:46
  • @Sarahrb yes...everything works, but this is super old post, right!? – Thiago Custodio Feb 14 '22 at 14:12
8

There is a solution documented by the aspnet/security team on GitHub.

https://github.com/aspnet/Security/issues/1864

If you are using ASP.NET Core Identity you disable the protection by configuring cookies with the following code

services.ConfigureExternalCookie(options => {
    // Other options
    options.Cookie.SameSite = SameSiteMode.None; }); services.ConfigureApplicationCookie(options => {
    // Other options
    options.Cookie.SameSite = SameSiteMode.None; });

If you are using cookie authentication without ASP.NET Core identity you can turn off the protection with the following code

services.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => {
    // Other options
    options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None; })

If you are using external OIDC providers you may be able to avoid the issue by changing the response mode your provider uses from a POST to a GET request, using the following code. Not all providers may support this.

.AddOpenIdConnect("myOIDProvider", options => {
    // Other options
    options.ResponseType = "code";
    options.ResponseMode = "query";
};
Brian Reiter
  • 1,339
  • 1
  • 10
  • 16
  • Thank you so much - I had searched but didn't find that issue on github. I have deployed the change for using cookie authentication without ASP.NET Core identity and have verified that it works for me. Thank you again! – G_P Nov 06 '18 at 20:21
  • How about for non .NET users? – aj go Dec 09 '22 at 03:49