I work on a web app which uses SSO with an external CAS server. The flow is:
- When accessing the webapp (myapp.com), the user is redirected to a form (whereareyoufrom.com/form) which redirects to the correct CAS server login page (iamfromhere.com/login).
- The user logs in the CAS server login page (iamfromhere.com/login).
- The user is redirected to the webapp.
An Android TWA from this web app was created, which works fine.
An iOS TWA was also created, but the authentication workflow does not work properly.
I can access the CAS server’s login page (iamfromhere.com/login) correctly within the TWA. However, when submitting the form, the TWA opens a new window in Safari -outside of the TWA- and shows the same login page again (iamfromhere.com/login).
If I try to submit the form again I’m redirected to the identity provider website as correctly logged in (iamfromhere.com/home), instead of being redirected to the TWA webapp (myapp.com/home).
If I close the browser window, I’m back to the TWA on the first iamfromhere.com/login.
Here is a diagram of the flow.
Solid green arrows for what works correctly, dashed green arrows for the expected behavior and blue arrows for what happens and is not expected.
The manifest.json file has display set to standalone.
The TWA is built for iOS 13.
I have no expertise on TWAs but what I tried and did not work:
- In the
WebView.swiftfile, setconfig.limitsNavigationsToAppBoundDomainstofalse - Adding
<meta name="apple-mobile-web-app-capable" content="yes">in myindex.html - Adding all external domain names to the TWA’s permitted URLs
