Force Apple to fix Safari certificate auth bug (Support ADFS Device Authentication)
We really need Microsoft Corp. to fly to Cupertino and slap the guys responsible for the development of the Safari browser on MacOS. :D
It looks like the people at SAP give up on Apple. This have been an issue for a long time now and we REALLY need a solution for this.
Another approach would be to built somekind of mechanism / feature into ADFS that would not send a "Certificate Authentication Request" for specific user-agent-string (Read MacOS+ Safari). We have only seen the issue for Safari on MacOS. Other browsers work like a charm.
The fact that Apple doesn't implement the full support of the RfC for Certificate Authentication is breaking a lot of ADFS Conditional Access scenarios in heterogeneous environments with both Mac and Windows devices.
The MacOS Safari issue:
For some reason Apple didn't implement support for a website that is ONLY requesting a certificate for authentication. Safari Interprets the "Certificate Auth Request" as being a "Certificate Auth Required" that would prompt users to select a certificate for authentication. This great a HUGE users impact.
We use the "Request" setting, precisely so that the absence of a certificate does not prevent users accessing the system via username/password.
Unfortunately, it seems that there is some piece of SSL code on some Apple platforms that interprets "request" as "require" and will not let you in without a certificate.”
@Samuel Devasahayam (A.k.a. Mr. ADFS :D )
Mikkel Hansen commented
MacOS 10.13.1 and it is still not fixed. Blank page when authing against an adfs.
Aaron Marks commented
Early indications are that Apple has fixed this in the first macOS 10.13 High Sierra public beta release.
Peter Selch Dahl commented
I'm currently investigating this issue with Apple support. They're check internal support knowledge based for more information about the issue. Will keep you posted.