Friday, February 19, 2016

ADFS : Cookie size with Apple devices

Interesting thread over on the ADFS forum.

This relates to Apple only accepting cookies up to 4096 bytes.

The suggestions from Microsoft were:
  • Ask Apple to fix Safari
  • Don't sign the SAML request
  • Try and reduce the number of claims e.g. sending specific groups; not all of them
  • Use SAML artifact resolution
In artifact resolution, the token just contains an artifact which is a key to the actual claim. You then send the artifact back via a SOAP back channel and get the set of claims.

Or you could use a variation of this which is to send a limited set of claims; enough for most purposes. For the times when you need the extra claims, you could e.g. use the Microsoft Graph API in Azure to get the others.

Yes - that basically defeats the whole purpose of claims but sometimes it's a case of any port in a storm!


No comments: