We have moved from NAM Identity Provider to AzureAD. The MS Edge_C uses Enterprise Mode Site List to force IE mode for the application.
On a new session, the user is redirected (GET) from our application to login.microsoftonline.com via SAML. After selecting the account, another redirect is sent to the company authentication service, which successfully authenticates the user. The SAML response is sent to the application via POST.
That's how it should be, and that's how it was with NAM (which authenticated the user directly). But since the switch to AzureAD, the final POST back to the application is broken. Our application receives a GET request without SAML related parameters and therefore the SSO fails. Without IE mode it works, but since it is a legacy application we have to use IE mode.
The same process directly in IE11 works as expected.
Does anyone know what could be wrong with AzureAD's response? It seems like something is irritating the Edge_C about the response, which is why the change "Non IE Mode" (login.mso.com) to "IE Mode" (application) discards the POST and a GET is made.
I would appreciate any ideas to help us with this problem.
After a long debugging session, the solution turned out to be really simple:
Enterprise Mode Site List as NeutralThis ensures, that the SSO service is used in the same browser instance as the application that triggered the SSO. No switch between Edge and IE happens.