Authentication using ADAL for .NET in Xamarin and Microsoft Authenticator fails on iOS

Question

I am trying to use ADAL library for .NET in Xamarin Forms (iOS and Android) to implement a POC-application to authenticate against my companys Azure AD. I've managed to authenticate with username/password on both platforms, and by using Microsoft Authenticator as a broker on Android (Workplace Join).

But I am struggling to authenticate with Authenticator on iOS. I've used the SSO guide for ADAL iOS as a reference (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-sso-ios).

When I click my test login button the Authenticator app opens, but it just stays open with a white screen and a cancel button. I've tried both with iOS 9.3 and iOS 10. I get these error messages in the Device logs.

Warning (325) / Authenticator: ADALiOS [2016-11-28 11:04:35 - 9966AB28-6265-400D-91B4-F3B145D12FB9] VERBOSE: ADAL API call [Version - 2.0.2]. Additional Information: In function: +[ADBrokerContext getAllAccounts:], file line #632. ErrorCode: 0.
Warning (325) / Authenticator: ADALiOS [2016-11-28 11:04:35 - 9966AB28-6265-400D-91B4-F3B145D12FB9] VERBOSE: ADAL API call [Version - 2.0.2]. Additional Information: In function: -[ADKeychainTokenCacheStore allItemsWithError:], file line #419. ErrorCode: 0.
Warning (325) / Authenticator: ADALiOS [2016-11-28 11:04:35 - 9966AB28-6265-400D-91B4-F3B145D12FB9] VERBOSE: Keychain token cache store. Additional Information: (null). ErrorCode: 0.
Warning (325) / Authenticator: ADALiOS [2016-11-28 11:04:35 - 9966AB28-6265-400D-91B4-F3B145D12FB9] VERBOSE: ADAL API call [Version - 2.0.2]. Additional Information: In function: +[ADBrokerContext isBrokerRequest:returnUpn:], file line #157. ErrorCode: 0.
Warning (325) / Authenticator: ADALiOS [2016-11-28 11:04:35 - 9966AB28-6265-400D-91B4-F3B145D12FB9] VERBOSE: ADAL API call [Version - 2.0.2]. Additional Information: In function: +[ADBrokerContext isBrokerRequest:returnUpn:], file line #157. ErrorCode: 0.
Warning (325) / Authenticator: ADALiOS [2016-11-28 11:04:35 - 9966AB28-6265-400D-91B4-F3B145D12FB9] INFORMATION: Broker invoked from my.company.xamarinadaltest. Additional Information: (null). ErrorCode: 0.
Warning (325) / Authenticator: ADALiOS [2016-11-28 11:04:35 - 9966AB28-6265-400D-91B4-F3B145D12FB9] VERBOSE: ADAL API call [Version - 2.0.2]. Additional Information: In function: +[ADBrokerContext invokeBrokerImpl:sourceApplication:upn:webView:], file line #432. ErrorCode: 0.
Warning (325) / Authenticator: ADALiOS [2016-11-28 11:04:35 - 9966AB28-6265-400D-91B4-F3B145D12FB9] ERROR: Error raised: 2. Additional Information: Domain: ADAuthenticationErrorDomain Details: source application bundle identifier should be same as the redirect URI domain. ErrorCode: 2.
Warning (325) / Authenticator: ADALiOS [2016-11-28 11:04:35 - 9966AB28-6265-400D-91B4-F3B145D12FB9] ERROR: source application does not match redirect uri host. Additional Information: (null). ErrorCode: 0.

Redirect URI in code: msauth://code/x-msauth-adaltest%3A%2F%2Fmy.company.xamarinadaltest

In Entitlements.plist (I've tried with and without this in Entitlements - same result):

<dict>
    <key>keychain-access-groups</key>
    <array>
        <string>$(AppIdentifierPrefix)my.company.xamarinadaltest</string>
        <string>$(AppIdentifierPrefix)com.microsoft.workplacejoin</string>
        <string>$(AppIdentifierPrefix)com.microsoft.adalcache</string>
    </array>
</dict>

In Info.plist:

<key>CFBundleIdentifier</key>
<string>my.company.xamarinadaltest</string>

<key>CFBundleURLTypes</key>
<array>
    <dict>
        <key>CFBundleTypeRole</key>
        <string>Editor</string>
        <key>CFBundleURLName</key>
        <string>my.company.xamarinadaltest</string>
        <key>CFBundleURLSchemes</key>
        <array>
            <string>x-msauth-adaltest</string>
        </array>
        <key>CFBundleURLTypes</key>
        <string>Editor</string>
    </dict>
</array>

<key>LSApplicationQueriesSchemes</key>
<array>
    <string>msauth</string>
</array>

Redirect URIs in Azure Portal:

msauth://code/x-msauth-adaltest://my.company.xamarinadaltest

x-msauth-adaltest://my.company.xamarinadaltest

msauth://code/x-msauth-adaltest%3A%2F%2Fmy.company.xamarinadaltest

According to the guide (https://docs.microsoft.com/en-us/azure/active-directory/active-directory-sso-ios):

Your redirect URI must be in the proper form of: <app-scheme>://<your.bundle.id>

So I don't understand the error "source application bundle identifier should be same as the redirect URI domain".

Has anyone managed to get this working? It seems like Authenticator is using an old version of ADALiOS, can that be an issue?

Kanishk Panwar Kanishk Panwar · Accepted Answer · 2016-11-29T16:17:59

You need to use x-msauth-adaltest://my.company.xamarinadaltest as the redirect URL in the client code. Msauth:// redirect URL is something that is used by Authenticator automatically for cert based auth flows.

Authentication using ADAL for .NET in Xamarin and Microsoft Authenticator fails on iOS

1 Answers