SSO & Safari Issue upon sign-in on Replicon Mobile App

  • 8
  • Problem
  • Updated 3 years ago
  • Acknowledged

DDR Corp utilizes Single Sign-on for login purposes to our Replicon site and most recently we began experiencing issues with users logging into the Replicon Mobile App via the iOS (Apple) devices.  It has been discovered and acknowledged by the Replicon team that there is an issue with the way Safari and ADFS are working together and we need to get this escalated to Apple in order to get this rectified.

Specific Example:  The user logs into the app, and is forwarded to our SSO page within the safari browser. The user then logs into the SSO page, and instead of the application launching, they receive an error, but pressing the back button reloads the page, and the app launches.  It is believed that the user is getting a SSO token, but the safari browser isn’t forwarding it back to the app.

Please advise when we may expect resolution as this is a constant issue for our users and consuming much of our internal teams time.

Thank you.

Photo of Tracy Smalley

Tracy Smalley

  • 21 Posts
  • 3 Reply Likes

Posted 3 years ago

  • 8
Photo of Aashnee Kamboj

Aashnee Kamboj, Community Moderator

  • 1657 Posts
  • 115 Reply Likes
Hi Tracy,

Thank you for using the Replicon Community!

We regret the inconvenience caused. We will have our Product Management team work through this and will update you with the progress.

Thanks,
Aashnee
Photo of Tracy Smalley

Tracy Smalley

  • 21 Posts
  • 3 Reply Likes

Can you please provide an update on this?

Thank you.

Photo of Vinesha Perera

Vinesha Perera, Product Manager

  • 41 Posts
  • 6 Reply Likes
Hi Tracy,

We have root caused this issue to be a Safari and ADFS (Active Directory Federation Services) issue. Sorry, it looks like there isn't much that can be done on our mobile app to fix this issue.

Our support team will be reaching out to Apple and Microsoft to determine a fix as the fix needs to be at their end.

Thanks,
Vinesha
Photo of Tracy Smalley

Tracy Smalley

  • 21 Posts
  • 3 Reply Likes

This works fine with the safari browser to time.ddr.com (our SSO URL) and the salesforce1 app logs in correctly with safari and adfs. It does seem to be only the Replicon app that has the issue so I'm not sure how this can be concluded it is not Replicon's issue to resolve.

Photo of Vinesha Perera

Vinesha Perera, Product Manager

  • 41 Posts
  • 6 Reply Likes
Hi Tracy,

In our mobile app, during SSO, we call the default browser (Safari) to process the SSO steps.  We were reading up on the Salesforce documentation, and it looks like the Salesforce app embeds a tiny browser inside the app itself and process the SSO steps there. Since they don't call the default browser (Safari), that might be the reason why it works there. 

https://developer.salesforce.com/page/Single_Sign-On_for_Desktop_and_Mobile_Applications_using_SAML_and_OAuth


There are also differences between how SSO works when logging directly from the mobile web browser vs the mobile app calling the browser.

We are working hard to get this issue resolved for you. We apologize for any inconvenience. 

We will keep you posted.

Thanks,

Vinesha







(Edited)
Photo of Carlos Soto

Carlos Soto

  • 3 Posts
  • 2 Reply Likes

Hello Vinesha,

I found a related article on the apple community regarding this issue.  There is a possible solution for getting ADFS to work with Safari.  It requires that you associate the ADFS servers certificate to the APP ID.  Can you please let me know what the APP ID is for Replicon for Apple IOS?  I can test it and see if it resolves the issue.  Please see the link below for details.

https://discussions.apple.com/thread/6612300?start=0&tstart=0

Photo of Carlos Soto

Carlos Soto

  • 3 Posts
  • 2 Reply Likes

Specifically:

ADFS3.0 has increased security features (increased ssl cert security) which might affect to phone usage plus there might be missing user-agent issues also.

For ssl cert (do in every ADFS server):

Command prompt with admin permissions: netsh http show sslcert

Search right certhash and appid values.

Command prompt with admin permissions: netsh http add sslcert ipport=0.0.0.0:443 certhash=*insertcerthashherewithoutasterisk* appid="{*insertappidherewithoutasterisk*}"

Restart ADFS services on all ADFS servers.

Photo of Tracy Smalley

Tracy Smalley

  • 21 Posts
  • 3 Reply Likes

If this works, please advise as DDR would like to see this issue get resolved as this has been going on far too long.  Our end user experience is very important to the success of our use of the Replicon product.

Thank you

Tracy Smalley

Photo of Vinesha Perera

Vinesha Perera, Product Manager

  • 41 Posts
  • 6 Reply Likes
Hi Carlos,

Thanks for the reply.

I have emailed you the App ID.

Thanks,
Vinesha
Photo of Carlos Soto

Carlos Soto

  • 3 Posts
  • 2 Reply Likes
Thank you Vinesha.  Looks like the APP ID referred to in the solution is actualy the GUID of the app.  Do you have that value?
Photo of Vinesha Perera

Vinesha Perera, Product Manager

  • 41 Posts
  • 6 Reply Likes
Hi Carlos,

I will check with engineering and get back to you.

Thanks,
Vinesha
Photo of Aashnee Kamboj

Aashnee Kamboj, Community Moderator

  • 1657 Posts
  • 115 Reply Likes
Hi Carlos,

Our team is in process of testing the GUID method on one of our test environments. We will confirm the resolution of the issue in case of the testing yields expected results. I will keep the thread updated.

Thanks,
Aashnee Kamboj
Photo of Sayantan Choudhury

Sayantan Choudhury, Tier 3 Cloud Operations Engineer

  • 7 Posts
  • 1 Reply Like
Hi Carlos,

We tested the steps as per "https://discussions.apple.com/thread/6612300?start=0&tstart=0" and our findings are as follows:

We first looked into the steps for setting the APP ID. This is not looking for the APP ID for our Apple App but is looking for the IIS APP ID which is used to run the IDP website. Upon checking the SSL Cert bindings for our test environment, where the issue is replicable, we found that the APP ID for IIS is already set against the SSL Cert we are using.

We then looked into the steps for the user-agent. This is not related to our setup because we don't do in-app-browser auth but we send the auth request to Safari which has a well-known user-agent.

Finally, we checked for the explanation given where a developer has created his own code to deal with a situation where Safari is not able to handle cookies where the size is more than 4K. But again this is not the issue because when we tap the back button on the failed browser message, the authentication passes with the same cookie size.

Thank you,

Sayantan Choudhury
(Edited)
Photo of Meyer, William

Meyer, William

  • 1 Post
  • 1 Reply Like
This reply was created from a merged topic originally titled SSO & Safari Issue with sign-in on Replicon Mobile App.

Step
Energy Services uses Single Sign-on for login purposes to our Replicon
site and we are laughing this to 500 users within the next few weeks but for the last few months we began experiencing issues with users logging into the Replicon
Mobile App via the iOS (Apple) devices.  It has been discovered and
acknowledged by the Replicon team that there is an issue with the way Safari
and ADFS are working together and Replicon is escalating this to Apple in
order to get this rectified.

The user
logs into the app, and is forwarded to our SSO page within the safari browser.
The user then logs into the SSO page, and instead of the application launching,
they receive an error, This will jeopardize the Roll-out of this product at
Step Energy. Please get this resolved as soon as possible.