I have setup OpenAM (13.0.0) to act as IdP and using it to authenticate user for a SP (Cloud application). I have configured the IdP as hosted under a sub realm and add a separate datastore to store the user information for IdP.
The SP initiated SSO works fine with Chrome and Firefox but noticed that it fails when I try to do the SSO from Safari browser.
I looked into the network traffic and compared the working case vs Safari case and I see that in one of the redirects/forward done in browser after the backend sends request to authenticate the SSO user, the query parameter ( ?realm=/myidprealm ) has gone missing and causing the authenticate page of root realm (/) to show up for user to enter credentials.
13.0.0 is a pretty old version and I believe there are fixes for Safari specifically. Forgerock would recommend moving to a later version. 13.5.2 is available but see the following, as 13.x.x is already first state EOSL, You should be looking to use 5.5.x at least or the latest version 6.5.2. https://backstage.forgerock.com/knowledge/kb/article/a18529200#AM