Forum Discussion

Nova_201357's avatar
Nova_201357
Icon for Nimbostratus rankNimbostratus
Aug 01, 2018

Iphone error using APM SAML

Greeting all,

 

I’ve federated with Office 365, I used an iApp () to accomplish it. It works as expected for internal and external clients, except for iPhones (current version of iOS).

 

The iApp was modified to allow for Kerberos SSO internally. Externally it uses HTTP basic.

 

I opened a case with F5 support and we did some packet captures to see what the clients were posting to the SAML IdP. With an Android, the pcap looks like this:

 

 

The above pcap includes an Authorization header. The iPhone request is different, and does not include that header:

 

 

According to F5 Support, since the Authorization Header is missing from the POST on the iphone, the APM throws a redirect and the client barfs on that. The fallout of that is that client displays an invalid nonce error like this:

 

 

F5 Support believes this is a bug in the iOS, I guess that wouldn’t be the first time! Has anyone come across this issue using the APM as an IdP for Office 365 as the SP and iPhone clients?

 

Thanks for any suggestions you have. Cheers, Mike

 

  • Hi, Do you know if this still is a problem IOS 12.0.1 . I am trying to set it up and I am getting the same problem.

     

  • Hi lcp,

     

    I don't know if anything is different in iOS 12. I've come to discover that all MS native apps for smart devices behave differently than the web based apps.

     

    Most recently I came across this: MS-Teams, when accessed through a browser it worked fine. But if I install the Teams app, it did not. This occurred across devices and it didn't matter if I used a Surface, iPhone, Android, whatever. If I accessed via a browser, all was good. If I used the app, it failed. I think it might be that the native apps only use WS-Fed, not SAML. I don't know how to work around that, I don't even run AD-FS. What I did is change to pass through authentication (PTA) (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta).

     

    Now all my clients work! I no longer use APM as an ID provider.

     

    Maybe someone has experience with WS-Fed integration with APM? I'd be interested to see if APM could still be used without the need for AD-FS to handle WS-Fed. My gut tells me that clever APM users might sniff out the WS-Fed URL and forward it to AD-FS. My original design goal was to avoid AD-FS altogether. PTA does meet that goal, so for now I'm sticking with it.

     

    When you find your solution, update this post.

     

    Cheers, Mike