Azure Active Directory Safari Redirection Issue

You are correct. There are some known issues with AAD's Safari compatibility. You can make a new feature request in User Voice or upvote and subscribe to some of the existing ones.

https://support.microsoft.com/en-us/help/2535227/a-federated-user-is-prompted-unexp https://feedback.azure.com/forums/223579-azure-portal/suggestions/34373635-fix-signing-in-in-safari https://feedback.azure.com/forums/223579-azure-portal/suggestions/7513912-does-not-work-well-on-safari-but-works-fine-on-chr

UPDATE: the product team has gotten back and replied that this is an issue on Apple's end. The current status is that the Apple team and Microsoft's PG team are working on it but there is nothing that the Microsoft development team can do because there is nothing wrong on Microsoft's side. The issue is that Apple is not properly sending cookies to login.microsoftonline server because of the new privacy and security updates. https://developer.apple.com/safari/whats-new/

There is a solution documented by the aspnet/security team on GitHub.

https://github.com/aspnet/Security/issues/1864

If you are using ASP.NET Core Identity you disable the protection by configuring cookies with the following code

services.ConfigureExternalCookie(options => {
    // Other options
    options.Cookie.SameSite = SameSiteMode.None; }); services.ConfigureApplicationCookie(options => {
    // Other options
    options.Cookie.SameSite = SameSiteMode.None; });

If you are using cookie authentication without ASP.NET Core identity you can turn off the protection with the following code

services.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => {
    // Other options
    options.Cookie.SameSite = Microsoft.AspNetCore.Http.SameSiteMode.None; })

If you are using external OIDC providers you may be able to avoid the issue by changing the response mode your provider uses from a POST to a GET request, using the following code. Not all providers may support this.

.AddOpenIdConnect("myOIDProvider", options => {
    // Other options
    options.ResponseType = "code";
    options.ResponseMode = "query";
};