Share via

Azure b2c saml response error - AuthRequest does not have assertion consumer service URL

isuru 0 Reputation points
2023-08-01T04:56:30.21+00:00

i need to setup azure b2c application with SAML protocol. but when trying to sign in, i received below saml response error called "Application registered corresponding to IssuerUri "Abc" in AuthRequest does not have assertion consumer service URL"

following are the steps that i followed,

1 - created a RSA policy key called "B2C_1A_SPSAMLApp"

2 - created new user flow for email signin

  • user flow name - B2C_1_SAML_SIGNIN

3 - created a b2c application called "IMPSAML"

4 - uploaded TrustFrameworkBase.xml

  • used offical github base xml file and update below xml tag with newly created policy key. github source link
  • <Key Id="issuer_secret" StorageReferenceId="B2C_1A_SPSAMLApp" />
  • <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_SPSAMLApp" />

5 - uploaded below TrustFrameworkExtensions.xml file

<?xml version="1.0" encoding="utf-8" ?>
<TrustFrameworkPolicy 
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
  xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06" 
  PolicySchemaVersion="0.3.0.0" 
  TenantId="abc.onmicrosoft.com" 
  PolicyId="B2C_1A_TrustFrameworkExtensions" 
  PublicPolicyUri="http://abc.onmicrosoft.com/B2C_1A_TrustFrameworkExtensions">
  <BasePolicy>
    <TenantId>abc.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkBase</PolicyId>
  </BasePolicy>
  <BuildingBlocks>
  </BuildingBlocks>
  <ClaimsProviders>
    <ClaimsProvider>
      <DisplayName>IMPSAML</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="IMPSAML">
          <DisplayName>Sales Application</DisplayName>
          <Protocol Name="SAML2"/>
          <OutputTokenFormat>SAML2</OutputTokenFormat>
          <CryptographicKeys>
            <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SPSAMLApp"/>
            <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SPSAMLApp"/>
          </CryptographicKeys>
          <InputClaims/>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer"/>
        </TechnicalProfile>
        
        <TechnicalProfile Id="SM-Saml-issuer">
          <DisplayName>Session Management Provider</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>
  </ClaimsProviders>
</TrustFrameworkPolicy>

6 - uploaded below SPSAMLAPP.xml file for user signin

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="abc.onmicrosoft.com"
  PolicyId="B2C_1A_SPSAMLApp"
  PublicPolicyUri="http://abc.onmicrosoft.com/B2C_1A_SPSAMLApp">

  <BasePolicy>
    <TenantId>abc.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
  </BasePolicy>

  <UserJourneys>
    <UserJourney Id="B2C_1_SAML_SIGNIN">
      <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="IMPSAML">
        </OrchestrationStep>
      </OrchestrationSteps>
    </UserJourney>
  </UserJourneys>

  <RelyingParty>
    <DefaultUserJourney ReferenceId="B2C_1_SAML_SIGNIN" />
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="SAML2"/>
      <Metadata>
        <Item Key="IssuerUri">https://abc.b2clogin.com/abc.onmicrosoft.com/B2C_1A_SPSAMLApp</Item>
      </Metadata>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="email" DefaultValue="" />
      </OutputClaims>
        <SubjectNamingInfo ClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ExcludeAsClaim="true"/>
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

7 - updated menifest.json

{
  "id": "xxxxxxxxxxxxxxxxxxx",
  "acceptMappedClaims": null,
  "accessTokenAcceptedVersion": 2,
  "addIns": [],
  "allowPublicClient": null,
  "appId": "xxxxxxxxxxxxxxxxxxx",
  "appRoles": [],
  "oauth2AllowUrlPathMatching": false,
  "createdDateTime": "2023-07-28T07:24:33Z",
  "description": null,
  "certification": null,
  "disabledByMicrosoftStatus": null,
  "groupMembershipClaims": null,
  "identifierUris": [
    "Abc"
  ],
  "informationalUrls": {
    "termsOfService": null,
    "support": null,
    "privacy": null,
    "marketing": null
  },
  "keyCredentials": [],
  "knownClientApplications": [],
  "logoUrl": null,
  "logoutUrl": null,
  "name": "IMPSAML",
  "notes": null,
  "oauth2AllowIdTokenImplicitFlow": false,
  "oauth2AllowImplicitFlow": false,
  "oauth2Permissions": [],
  "oauth2RequirePostResponse": false,
  "optionalClaims": null,
  "orgRestrictions": [],
  "parentalControlSettings": {
    "countriesBlockedForMinors": [],
    "legalAgeGroupRule": "Allow"
  },
  "passwordCredentials": [],
  "preAuthorizedApplications": [],
  "publisherDomain": "abc.onmicrosoft.com",
  "replyUrlsWithType": [
    {
      "url": "https://abc.com/api-gateway/auth-method/acs",
      "type": "Web"
    },
    {
      "url": "https://samltestapp2.azurewebsites.net/SP/AssertionConsumer",
      "type": "Web"
    }
  ],
  "requiredResourceAccess": [],
  "samlMetadataUrl": null,
  "signInUrl": null,
  "signInAudience": "AzureADMyOrg",
  "tags": [],
  "tokenEncryptionKeyId": null
}
Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2023-10-23T16:42:14.7766667+00:00

    Hello @isuru and thanks for sharing your solution. Since accepting and rating your own answer is not possible I'm reposting it here so you can accept and rate it so that others facing a similar issue can easily find a solution.

    My issue is fixed. The issue was identifierUri and app issuer url mismatch. Ex: my app issuer (entity id) url is https://samltestapp2.azurewebsites.net. I updated the same url in Manifest User's image

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.