This relates to Apple only accepting cookies up to 4096 bytes.
The suggestions from Microsoft were:
- Ask Apple to fix Safari
- Don't sign the SAML request
- Try and reduce the number of claims e.g. sending specific groups; not all of them
- Use SAML artifact resolution
Or you could use a variation of this which is to send a limited set of claims; enough for most purposes. For the times when you need the extra claims, you could e.g. use the Microsoft Graph API in Azure to get the others.
Yes - that basically defeats the whole purpose of claims but sometimes it's a case of any port in a storm!