ADFS : Cookie size with Apple devices

Interesting thread over on the ADFS forum.

This relates to Apple only accepting cookies up to 4096 bytes.

The suggestions from Microsoft were:

• Ask Apple to fix Safari
• Don't sign the SAML request
• Try and reduce the number of claims e.g. sending specific groups; not all of them
• Use SAML artifact resolution

In artifact resolution, the token just contains an artifact which is a key to the actual claim. You then send the artifact back via a SOAP back channel and get the set of claims.

Or you could use a variation of this which is to send a limited set of claims; enough for most purposes. For the times when you need the extra claims, you could e.g. use the Microsoft Graph API in Azure to get the others.

Yes - that basically defeats the whole purpose of claims but sometimes it's a case of any port in a storm!

Enjoy!