ADFS 3.0 federated sites not working on Safari on IOS RRS feed

  • Question

  • Hi,

    We've got ADFS 3.0 setup up to authenticate our on-premise accounts for Office365 and other federated sites. This is working fine for PCs (IE and Chrome) but we can't log on from Safari on iOS or any MS iOS apps such as Outlook, Word etc.  We're using forms-based authentication on ADFS and have tried the following on ADFS so far without any success

    So far I have tried the following but it's not made a difference. I have also looked through a lot of websites on this topic.

    1. Executed set-adfsproperties -ExtendedProtectionTokenCheck None cmdlet.

    2. Executed Set-ADFSProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain", "MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Mozilla/5.0"

    3. Removed the Pass through all Group SID claims in Active Directory. This was to try and reduce the token size which I believe to be the main underlying issue here.

    Any help would be greatly appreciated.

    Many Thanks


    Wednesday, May 24, 2017 8:29 AM

All replies

  • IOS Safari has known issues with ADFS as it does not allow cookies over 4 KB. Since ADFS uses these cookies to maintain your auth state & passing more than 4 KB of claim data into those cookies fails the authentication.

    You may want to refer to the link below.


    A HttpModule to reduce the size of the ADFS MSISAuth cookie to fit within the iOS/Safari limit (by offloading the content to a database)

    Things to look out for:

    this code probably puts your ADFS in an unsupported state
    this code has known interop problems with POST-based SAML RPs (GET-based SAML RPs and WS-Federation-based RPs work)


    Disclaimer: The views expressed on this blog are my own and do not necessarily reflect the views of my employer.

    Monday, May 29, 2017 5:06 AM
  • Apart from making sure Forms auth is enabled, also enable the windowstransport endpoint as detailed here: https://support.microsoft.com/en-us/kb/3052203
    Monday, May 29, 2017 7:16 AM
  • Hi Fazel,

    Thanks for your reply. Forms based auth is enabled already and I'll certainly enable windows transport endpoint although that states domain joined desktops and the devices I'm using aren't.

    Thanks for the link. It looks mightily complex to set this up. And I'm a bit unsure seeing how it's not supported and could potentially cause other issues.  

    I'll let you know if enabling the windows transport endpoint makes a difference firstly.



    Thursday, June 1, 2017 11:59 AM