Print this page

ADFS issue with OSX 10.7

Knowledge Article Number 000181222
Description We are experiencing a (SSO) failure when using Mac OSX 10.7 (Lion) and Safari 6.0 browser. The ADFS error is: “MSIS7046: The SAML protocol parameter ‘RelayState’ was not found or not valid.” 

The issue is observed only
using Mac OSX 10.7 (Lion) and Safari 6.0 browser

  • This is caused due to a known issue on OSX 10.7 with ADFS redirect. 
  • OSX 10.7 only supports a cookie size of 4 kb. 
  • ADFS can however redirect the user with a cookie >5kb to specify all of the context.(application, endpoint, username, relaystate, internal ADFS parameters). 
  • Due to the 4 kb limit, this cookie can get truncated resulting in an ADFS exception. 
  • The workaround is to implement a login page directly with the ADFS Salesforce IDP. This way a redirect cookie doesn't need to be set to specify the user context in ADFS. 
  • This will require them to build a custom ADFS login portal

promote demote