How to sign assertion only Azure AD B2C as IdP using Custom Policy SAML

Question

How to sign assertion only Azure AD B2C as IdP using Custom Policy SAML

Javier Sassen 11

I'm trying to setup Qlik Sense SSO using Azure AD B2C as SAML IdP. I followed all steps in https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers but my SP requires the assertion to be signed. Is it possible to do this using the custom policies?

Thanks in advance!

nickw 1 Reputation point

2021-04-06T01:54:02.54+00:00

I have finally got this working - the key is to also have a SP metadata document that asks for SAML assertion signing. The metadata document can be hosted anywhere (as long as its over SSL) and must ask for SAML assertion signing. The MSDN documentation has been updated too

3 answers

Your answer

nickw 1 Reputation point

2021-04-06T01:54:02.54+00:00

I have finally got this working - the key is to also have a SP metadata document that asks for SAML assertion signing. The metadata document can be hosted anywhere (as long as its over SSL) and must ask for SAML assertion signing. The MSDN documentation has been updated too

Answer 1

Enric 6

Hi @AmanpreetSingh-MSFT

I think the AD B2C signs the response, not the assertion (as AD does)

Theoretically, via B2C custom policies you can set the XmlSignatureAlgorithm metadata property in both, the reliyingparty/technicalprofile (it is related to the response)

https://learn.microsoft.com/es-es/azure/active-directory-b2c/relyingparty#metadata

And also ion the "ClaimsProvider" (it should be related to the asserton)

https://learn.microsoft.com/es-es/azure/active-directory-b2c/saml-issuer-technical-profile#metadata

But is lools like the assertion is never signed

Question: is the "SamlAssertionSigning" key in the Claimsprovider doing something?

By the way, the "SamlAssertionSigning" key is not mentioned in the documentation (https://learn.microsoft.com/es-es/azure/active-directory-b2c/saml-issuer-technical-profile#metadata) has something changed?

nickw 1 Reputation point

2021-03-25T02:45:19.917+00:00

This is still an issue - did you find a workaround @Enric ?

Hi @AmanpreetSingh-MSFT - as @Javier Sassen posted, AAD B2C is signing the message but not the assertion. Its definitely a feature that isn't implemented

The updated documentation links are https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory-b2c/saml-issuer-technical-profile.md#cryptographic-keys which shows MetadataSigning and SamlMessageSigning as the 2 supported CryptographicKeys element.

The document at https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory-b2c/saml-service-provider.md#enable-your-policy-to-connect-with-a-saml-application still references the (non-existent and non-working?) SamlAssertionSigning key
Sven Mawby 1 Reputation point

2021-10-25T15:02:55.81+00:00

It seems like assertion signing is still not possible, is there any plan on implementing this in future?

Answer 2

AmanpreetSingh-MSFT 56,871 Moderator

@Javier Sassen If you have followed all instructions mention in https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers, you should get signed SAML assertion only. The SAML Assertion key (highlighted below) is used for this purpose:

-----------------------------------------------------------------------------------------------------------

Please "Accept as answer" wherever the information provided helps you to help others in the community.

Javier Sassen 11 Reputation points

2020-02-10T13:48:25.953+00:00

Unfortunately this doesn't solve my issues. When comparing SAML Response generated by AAD (which works) and the response generated by B2C custom policy (this response doesn't work) I see different orders:

Could you possibly help me any further?
AmanpreetSingh-MSFT 56,871 Reputation points Moderator

2020-02-13T09:15:08.917+00:00

@Javier Sassen I don't think order should cause any issue here.

I would suggest you to start debugging from the application side as the token is issued by B2C and the application is failing to consume that token. Starting by looking into the application logs would help narrowing down the issue. The problem can be due to signature algorithm as I can see AAD is using rsa-sha256 and B2C is using rsa-sha1 but that's a wild guess.

Answer 3

Radosław Dudyk 1

I have the same problem with Load Master .
Did you resolve this problem?

Share via

How to sign assertion only Azure AD B2C as IdP using Custom Policy SAML

3 answers

Your answer