This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 92%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJS%3C/text%3E%3C/svg%3E)
I'm trying to setup Qlik Sense SSO using Azure AD B2C as SAML IdP. I followed all steps in https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers but my SP requires the assertion to be signed. Is it possible to do this using the custom policies?
Thanks in advance!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 36%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
I have finally got this working - the key is to also have a SP metadata document that asks for SAML assertion signing. The metadata document can be hosted anywhere (as long as its over SSL) and must ask for SAML assertion signing. The MSDN documentation has been updated too
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 93%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
I think the AD B2C signs the response, not the assertion (as AD does)
Theoretically, via B2C custom policies you can set the XmlSignatureAlgorithm metadata property in both, the reliyingparty/technicalprofile (it is related to the response)
https://learn.microsoft.com/es-es/azure/active-directory-b2c/relyingparty#metadata
And also ion the "ClaimsProvider" (it should be related to the asserton)
https://learn.microsoft.com/es-es/azure/active-directory-b2c/saml-issuer-technical-profile#metadata
But is lools like the assertion is never signed
Question: is the "SamlAssertionSigning" key in the Claimsprovider doing something?
By the way, the "SamlAssertionSigning" key is not mentioned in the documentation (https://learn.microsoft.com/es-es/azure/active-directory-b2c/saml-issuer-technical-profile#metadata) has something changed?
This is still an issue - did you find a workaround @Enric ?
Hi @AmanpreetSingh-MSFT - as @Javier Sassen posted, AAD B2C is signing the message but not the assertion. Its definitely a feature that isn't implemented
The updated documentation links are https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory-b2c/saml-issuer-technical-profile.md#cryptographic-keys which shows MetadataSigning and SamlMessageSigning as the 2 supported CryptographicKeys element.
The document at https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory-b2c/saml-service-provider.md#enable-your-policy-to-connect-with-a-saml-application still references the (non-existent and non-working?) SamlAssertionSigning key
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 68%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
It seems like assertion signing is still not possible, is there any plan on implementing this in future?
@Javier Sassen If you have followed all instructions mention in https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers, you should get signed SAML assertion only. The SAML Assertion key (highlighted below) is used for this purpose:
-----------------------------------------------------------------------------------------------------------
Please "Accept as answer" wherever the information provided helps you to help others in the community.
Unfortunately this doesn't solve my issues. When comparing SAML Response generated by AAD (which works) and the response generated by B2C custom policy (this response doesn't work) I see different orders:
Could you possibly help me any further?
@Javier Sassen I don't think order should cause any issue here.
I would suggest you to start debugging from the application side as the token is issued by B2C and the application is failing to consume that token. Starting by looking into the application logs would help narrowing down the issue. The problem can be due to signature algorithm as I can see AAD is using rsa-sha256 and B2C is using rsa-sha1 but that's a wild guess.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 53%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
I have the same problem with Load Master .
Did you resolve this problem?