SalesForce with ADFS Integration for SSO – IOS devices cannot access the SalesForce page

Hello All,

Ahmad Yasin

In this article, we will discuss a small topic but it’s very important for most of the companies that Integrate Salesforce with Active directory Federation Service (ADFS) to achieve single Sign on (SSO).

For some reason, I tried to deployed ADFS with SalesForce to achieve SSO following below article from SalesForce site:

https://developer.salesforce.com/page/Single_Sign-On_with_Force.com_and_Microsoft_Active_Directory_Federation_Services

Note: we will not discuss how to integrate SalesForce with ADFS in this article, for the deployment guide see: https://developer.salesforce.com/page/Single_Sign-On_with_Force.com_and_Microsoft_Active_Directory_Federation_Services

After complete the integration between SalesForce and ADFS everything works as expected except the IOS devices. when the user try to access the SalesForce pagethey login to the SalesFroce page, then click on STS to reach the ADFS Page:

My ADFS URL is sts.mydummieslab.com as appears below, it will ask for on-premises credential as below:


After entered the credential, Damn, i got below error:

 

Dummies STS

An error occurred

An error occurred. Contact your administrator for more information.

Error details

  • Activity ID: 00000000-0000-0000-7100-00800000009a
  • Error time: Fri, 28 Apr 2017 16:59:06 GMT
  • Cookie: enabled

User agent string: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1

As usual, i went to Google and bing my best friends and start searching, unfortunately, i didn’t find something that can help directly, but while am reading i find one important article which is: http://kb.tableau.com/articles/issue/error-saml-protocol-parameter-relaystate-was-not-found-or-not-valid-using-adfs-saml-with-ios ; this article mentioned the same error with different application but with IOS also, what i noticed in the article that the reason of the issue as per the Article is: iOS and OS X browsers, such as mobile and desktop Safari, truncate cookies larger than 4KB, which are required by Microsoft ADFS.

Above reason make me think in different way, for that I started to collect Fiddler traces to see whats happening in the Network level, configuring Fiddler to collect traces from IOS devices explained very well in Fiddler Article: http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureForiOS

Note: I am not a fiddler specialist but i am doing my best to analysis the traces, if you find that i mentioned something wrong in the analysis don’t blame me 🙂

After collected the logs i found that the size of the packets (Cookies) exceed 4KB which maybe the cause in our case as below snapshots:

for now, i knew that there is some limitation in the cookies size and it seems (as per my understanding for Fiddler) that the size is more than 4KB, Then i start thinking what to do now ! Again went to my best friends Google and Bing but nothing found, suddenly i say ok let me try to change the HTTP Method used in the SalesForce, i am very lucky that i thought in this way because changes the SalesForce HTTP method from HTTP Post to HTTP redirect solve the issue totally, let me explain what i did exactly:

From the ADFS side, i made sure that the default configurations is the same and not changed as below:

Go to the SalesForce relying part that you already configured in the ADFS per SalesForce Article and make sure that the HTTP method binding is Set to POST as below:

From SalesForce admin page, open the single sign on configuration page, click on Edit to modify the SAML Single Sign on Setting as below:

You will find that the Service Provider Initiated Request Binding is set to HTTP Post as below (This configuration mentioned in the SalesFroce Article):

Now, this is the modification that you need to do, Just change Service Provider Initiated Request Binding to HTTP Redirect and save the configuration as below:

After that, Try the IOS it will work like a charm and of course in addition to other OS’s like windows and Android.

I don’t have enough info why this change solve the issue but at least it’s solve it 🙂 🙂

Ahmad Yasin

Ahmad Yasin (MCSA office 365, MCSE, Messaging, Azure certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.

 

 

2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *