Azure AD B2C Saml Assertions Not Signed

Question

Azure AD B2C Saml Assertions Not Signed

Christopher Norris 6

Hello,

We are trying to integrate into an application that only supports SAML IDP-initiated authentication. SP is not supported.

However, when we try to authenticate, we are getting an error saying that the assertion is not signed.

We have tried setting the metadata value: WantsSignedAssertions to true, but when we view the SAML response, it does not show a signature element within the Assertion Element.

Any help would be greatly appreciated.

Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-02-20T11:20:58.3133333+00:00

@Christopher Norris

Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you further inputs.

Thanks,

Akshay Kaushik
Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-03-02T09:30:42.9933333+00:00

@Christopher Norris

We noticed your feedback that the answer on this thread was not helpful.

Thank you for taking time to share your feedback. Kindly let us know what we could have done better to improve the answer and make your experience better.

Since I did try to to clarify the response in the latest post and update the solution, I request that you would kindly re-take the survey for your experience on this thread.

However, if your issue remains unresolved, please let us know how we can assist. We are here to help you and strive to make your experience better and greatly value your feedback. Looking forward to your reply. Much appreciate your feedback!

Thanks,

Akshay Kaushik
Luke Smith 0 Reputation points

2023-10-23T07:35:30.3566667+00:00

We're facing this same problem, the application only supports IdP initiated and requires the assertion to be signed.

The attribute mentioned above is for when B2C is receiving requests.. in the IdP initiated flow is the IdP and is generating the SAML but there doesn't seem to be anyway of telling it to sign the assertion.

2 answers

Your answer

Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-02-20T11:20:58.3133333+00:00

@Christopher Norris

Thank you for posting your query on Microsoft Q&A. I am reviewing this and will get back to you further inputs.

Thanks,

Akshay Kaushik
Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2023-03-02T09:30:42.9933333+00:00

@Christopher Norris

We noticed your feedback that the answer on this thread was not helpful.

Thank you for taking time to share your feedback. Kindly let us know what we could have done better to improve the answer and make your experience better.

Since I did try to to clarify the response in the latest post and update the solution, I request that you would kindly re-take the survey for your experience on this thread.

However, if your issue remains unresolved, please let us know how we can assist. We are here to help you and strive to make your experience better and greatly value your feedback. Looking forward to your reply. Much appreciate your feedback!

Thanks,

Akshay Kaushik
Luke Smith 0 Reputation points

2023-10-23T07:35:30.3566667+00:00

We're facing this same problem, the application only supports IdP initiated and requires the assertion to be signed.

The attribute mentioned above is for when B2C is receiving requests.. in the IdP initiated flow is the IdP and is generating the SAML but there doesn't seem to be anyway of telling it to sign the assertion.

Answer 1

Akshay-MSFT 17,956 Microsoft Employee Moderator

@Christopher Norris ,

Kindly validate the value for ResponsesSigned attribute. If the value is set to false, the identity provider shouldn’t sign the SAML response, but even if it does, Azure AD B2C won’t validate the signature. If you disable the SAML response validation, you also may want to disable the assertion signature validation

Please do let me know if you have any queries in the comments section.

Thanks

Akshay Kaushik

Please "Accept the answer" (Yes/No), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.

Christopher Norris 6 Reputation points

2023-02-28T17:02:30.2666667+00:00

@Akshay-MSFT T thank you for your reply. This is an IDP-Initiated flow, where Azure AD B2C is acting as the IDP. When I view the Metadata I do not see a ResponsesSigned attribute in any element. When we log in, we see the SAML assertion being sent to the application. Again, we are not getting a signed element inside of the Assertion element.

Answer 2

Akshay-MSFT 17,956 Microsoft Employee Moderator

@Christopher Norris ,

Thanks for your response. This attribute is not required but has to be added in metadata. For example:

User's image

Possible values are true/false as per Define a SAML identity provider technical profile :

User's image

For a deep-dive kindly refer to Azure AD B2C Custom Policies - Deep Dive

Thanks,

Akshay Kaushik

Please "Accept the answer" (Yes/No), and share your feedback if the suggestion works as per your business need. This will help us and others in the community as well.

Share via

Azure AD B2C Saml Assertions Not Signed

2 answers

Your answer