Hello,
In a development environment at the moment. Setup an (browser) application called SAP Fiori and configured SAML authentication. From a desktop OS 8/10, the configuration is active and functional. IE (11), Firefox and opera will use (internal) integrated
authentication or (external)form authentication and logon.
Everything works correct!
On iPad/Iphone (9.2), however...
When I first go to the https://sts.domain.com/adfs/ls/idpinitiatedsignon.aspx, I can logon to the sts and select the site! And it works.
But when I go first to the url fiori.domain.com, I am correctly redirected to thehttps://sts.domain.com/adfs/ls.
the logon page is shown and when enter the credentials, the ADFS3 form throws the below error.
Encountered error during federation passive request.
Additional Data
Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.CookieManagers.InvalidSamlContextException: MSIS7046: The SAML protocol parameter 'RelayState' was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure
that the client browser is configured to accept cookies from this website and retry this request.
at Microsoft.IdentityServer.Web.CookieManagers.EncodedContext.InitializeSamlProtocolContext(Uri baseUrl, String encodedValue)
at Microsoft.IdentityServer.Web.CookieManagers.EncodedContext..ctor(String encodedValue, Boolean samlEnabled, Boolean wsFederationEnabled)
at Microsoft.IdentityServer.Web.CookieManagers.RequestCookieManager.Load(Boolean samlEnabled, Boolean wsFederationEnabled, WrappedHttpListenerRequest context)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
The iPad has "allow all cookies" enabled. I have tested with Safari, Firefox, chrome and Opera, same result..
I have seen this tread also, but they gave up... https://social.technet.microsoft.com/Forums/windowsserver/en-US/5e8be1ac-e8da-47e5-b1d7-f708b51536cb/ad-fs-3-adfs3-issue-with-ipads?forum=winserverDS
Environment setup:
F5-> WAP (2012r2) <-> AD FS (2012r2)
<-> SAP Fiori (App)
<-> Topdesk (App)
<-> ...
Thanks,
Perry
Update!
When I go the url:
https://fiori.domain.com I get the above error (You can see that your are redirected to sts). When you enter the same url (https://fiori.domain.com) again in the browser, You are in! So the authentication is OK, but AD FS displays an error in the logon page...