Getting error AADB2C90164: The SAML relying party metadata does not specify a key descriptor for encryption

Derosier, Conner R 21 Reputation points
2023-01-06T13:58:06.273+00:00

Hello,

One of my custom B2C policies is getting this error on an SSO attempt when I set <Item Key="WantsEncryptedAssertions">true</Item>

AADB2C90164: The SAML relying party metadata does not specify a key descriptor for encryption.

I've followed this documentation exactly and verified that I have <KeyDescriptor use="encryption"> in my endpoint metadata.

https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-identity-provider-technical-profile

I cannot find error code AADB2C90164 on the B2C error code list online

Can someone point me in the right direction?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,634 questions
Azure Active Directory External Identities

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 22,311 Reputation points Microsoft Employee
    2023-01-06T22:01:57.327+00:00

    Hi @Derosier, Conner R ,

    I have reached out to the B2C team for a description of the error itself since it doesn't appear to be documented, but in the meantime wanted to provide the following troubleshooting steps:

    1) I have seen this issue when there is a combination of inflation + decryption of the SAML assertions. If the SAML SP application is requiring the response to be inflated and B2C is sending Deflated SAML, you may face this issue. If the issue does not persist after disabling SAML assertion encryption, this could very well be the problem.

    B2C will always send base 64 encoded deflated SAML responses. The app would need to base 64 decode and SAML inflate the response.

    Is the app providing a specific error about the format the SAML Response is in? (Inflated vs Deflated)

    Does the app not support base 64 decode\SAML inflation? If not, then this would be a limitation of the app that would need to be investigated.

    2) If you want to use AAD B2C as IDP, normally you should create a signing certificate in B2C (With private key) for the SAML response. You could refer to this document and check the using certificate and key from both B2C and app side.

    https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy#set-up-certificates

    For Azure AD B2C to accept a .pfx file password, the password must be encrypted with the TripleDES-SHA1 option in the Windows Certificate Store Export utility, as opposed to AES256-SHA256.

    Let me know if this applies to your situation. I've also reached out to the B2C team to collect more details around this error and will post back with the details.

    -
    If the information provided helped isolate your issue, please Accept the answer. This will help us as well as others in the community who might be researching similar information.

  2. Marilee Turscak-MSFT 22,311 Reputation points Microsoft Employee
    2023-01-11T22:00:35.8766667+00:00

    I had a discussion with the product team and wanted to add to the previous response. If you are trying to add a third-party SAML IDP federating with B2C and set WantsEncryptedAssertions to true from a B2C custom policy file, the assertions will be removed from the assertions collection and add to the encrypted assertions.

    And normally if the EncryptionKey read from B2C metadataReader is null, this kind of AADB2C90164 error will be thrown. So you might need to check on your B2C custom policy file first to see if you have added the SamlAssertionDecryption key like below within their SAML technical profile.

    <CryptographicKeys>
<Key Id="SamlAssertionSigning"StorageReferenceId="B2C_1A_SamlIdpCert"/>
<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>
<Key Id="SamlAssertionDecryption" StorageReferenceId="B2C_1A_SamlCert"/>
</CryptographicKeys>