Safari Users are unable to complete the authentication process when SSO is initiated from an embedded webpage.

Safari Users are unable to complete the authentication process when SSO is initiated from an embedded webpage.

Published: 12/29/2016
Issue:

Safari Users are unable to complete the authentication process when SSO is initiated from an embedded webpage. The embedded portion of the webpage may just show up blank, or it may display the PingOne dock, depending on the application.

This will happen if your organization is using Forms Based Authentication with PingOne and ADConnect with IIS for SSO, and you've enabled the Stateless option in ADConnect

Description:

When using the stateless option in ADConnect, ADConnect and PingOne use a cookie that's set by ADConnect with IIS when the user gets to the login form. Safari has 4 settings regarding cookies:
  • Always block: Safari doesn’t let any websites, third parties, or advertisers store cookies and other data on your Mac. This may prevent some websites from working properly.
  • Allow from current website only: Safari accepts cookies and website data only from the website you’re currently visiting. Websites often have embedded content from other sources. Safari does not allow these third parties to store or access cookies or other data.
  • Allow from websites I visit: Safari accepts cookies and website data only from websites you visit. Safari uses your existing cookies to determine whether you have visited a website before. Selecting this option helps prevent websites that have embedded content in other websites you browse from storing cookies and data on your Mac.
  • Always allow: Safari lets all websites, third parties, and advertisers store cookies and other data on your Mac.
If the user is using any of the first 3 settings, Safari will not accept the cookie from the ADConnect login form, so after the user is authenticated, PingOne will not know where to redirect the user.

Solution:

If the user is using either of the first 2 options above, this flow will not work at all if the SSO login process is embedded within their page. 

Option 1:
Set the Safari cookie setting to "Always Allow". No further changes to ADConnect or PingOne are required.

Option 2:
Set the Safari cookie setting to "Allow from websites I visit". You will then need to make a change to the ADConnect with IIS login form to set a cookie that doesn't expire on page navigation. Since this cookie will be set in Safari, the browser will recognize the login form as a "Website I visit", so it will allow the cookie to be set by the embedded form.

For more information and instructions to modify the login form, refer to this article.

You can add a javascript function to create a cookie by editing the login.html file as follows:
 
You'd add this function in between the <script type="text/javascript"> and </script> tags
 
function setADCTrustCookie(cname,cvalue,exdays) {
var d = new Date();
d.setTime(d.getTime() + (exdays*24*60*60*1000));
var expires = "expires=" + d.toGMTString();
document.cookie = cname + "=" + cvalue + ";" + expires + ";path=/";
}
 
Next, you will update the HTML Body tag to call this function, so the cookie will be set when the login form loads:
 
<body onload="setFocus();setADCTrustCookie('adctrust','AllowSafariToTrustEmbeddedLoginForm','1')">

Users that have already experienced the issue may need to logout completely and initiate a new SSO request.
Category:
ADConnect , 
KB or other URL: