CSM 10.2.2 Documentation

Home

Resolve Problems Using ADFS with Safari Browser

A known issue exists when using Safari and Microsoft Active Directory Federation Services (ADFS). Instead of automatically authenticating users, they are forced to provide credentials. The problem is resolved by editing the ADFS Relay State options.

Note: This topic applies to versions of ADFS that are currently supported by Microsoft.

The CSM SAML Service should automatically detect when a Safari browser is being used, and automatically use the alternate GET method without specifying the UseSAMLADFSRedirect setting in the web.config file. Users only need to set the UseSAMLADFSRedirect setting if they want to force this behavior for all requests.

To edit the ADFS Relay State options:

  1. On the server where ADFS is installed, locate and open the web.config file. Examples:
    • ADFS 2.0/2.1 example: %systemroot%\inetpub\adfs\ls\web.config
    • ADFS 3.0 example: %systemroot%\ADFS\Microsoft.IdentityServer.Servicehost.exe.config
  2. Enable the Relay State option.

    SAML: Enable relay state option in web.config file.

  3. Go to the CherwellService folder (Example: C:\Program Files (x86)\Cherwell Browser Applications/CherwellService).
  4. Open the web.config file.
  5. Enable USESAMLADFSredirect key in the Cherwell Server web.config file.

    SAML: Relay key in config file.

  6. For ADFS x.x, run IISReset to restart IIS.
  7. Restart the Active Directory Federation Services.

Test Changes

Test that the enable commands work by running Fiddler and capturing the requests made when connecting to ADFS. The request should connect to an idp-initiated page first (in bold) and contain a Relay State (italicized) value. This call should be a GET instead of the POST method used without a Relay State:

GET/adfs/ls/idpinitiatedsignon.aspx?RelayState= RPID%3dhttps%3a%2f%2

SAML: Test Relay State

This is the behavior if you are not using the relay state options.

POST /adfs/ls/?binding=urn%3aoasis%3anames%3atc%3aSAML%3a2.0%3abindings%3aHTTP-POST HTTP/1.1

SAML: Relay State POST

Good to Know

  • There are several web.config files used by CSM.
  • When an application starts, the web.config file is backed up in a separate folder.
  • Content of the web.config files is retained during both upgrade and reinstallation, so any changes you make to web.config files are preserved.

Was this article useful?    

Copyright © 2023, Ivanti, Inc. All rights reserved.

Privacy and Legal