Azure AD as IDP for Azure AD B2C CAS custom policy SAML configuration

Question

Azure AD as IDP for Azure AD B2C CAS custom policy SAML configuration

Jigalov, Dima 0

Is there a possibility to configure Azure AD IDP in custom policy not OIDC as described here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-custom-policy

But SAML?

Seems AD FS(SAML) so as Generic SAML IDP quite close to what do we need, we even got valid SAML response with user attributes back to Azure AD B2C but the last POST message(to the app) have such status code:

<samlp:Status>
  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"></samlp:StatusCode>
  <samlp:StatusMessage>Id:<Some id> ; Message: An error occurred while processing the request. Please contact administrator of the site you are trying to access.</samlp:StatusMessage>
  <samlp:StatusDetail>
   <IsPolicySpecificError>true</IsPolicySpecificError>
  </samlp:StatusDetail>
 </samlp:Status>

According to <IsPolicySpecificError>true</IsPolicySpecificError> seems it's custom policy misconfiguration issue...requesting for help on how to get this use case to work.

SAML ClaimProvider:

<ClaimsProvider>
      <Domain>[domain].onmicrosoft.com</Domain>
      <DisplayName>Login using TestSSO</DisplayName>
      <TechnicalProfiles>
        <TechnicalProfile Id="AADTestSSO-SAML2">
          <DisplayName>TestSSO account SAML2</DisplayName>
          <Description>Login with your TestSSO account</Description>
          <Protocol Name="SAML2" />
          <Metadata>
            <Item Key="WantsEncryptedAssertions">false</Item>
            <Item Key="ResponsesSigned">false</Item>
			<Item Key="PartnerEntity">https://login.microsoftonline.com/[azure ad tenant id]/federationmetadata/2007-06/federationmetadata.xml</Item>
          </Metadata>
          <CryptographicKeys>
            <!--Action required: Create your own certificate and set the name -->
            <Key Id="MetadataSigning" StorageReferenceId="B2C_1A_SamlIdpCert" />
            <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlIdpCert" />
            <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlIdpCert" />
          </CryptographicKeys>
          <OutputClaims>
			<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="assertionSubjectName" />
			<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="first_name" />
			<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="last_name" />
			<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="http://schemas.microsoft.com/identity/claims/displayname" />
			<OutputClaim ClaimTypeReferenceId="email"  />
			<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="contoso.com" />
			<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
		  </OutputClaims>
		  <OutputClaimsTransformations>
			<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
			<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
			<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
			<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
		  </OutputClaimsTransformations>
          <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp" />
        </TechnicalProfile>
        <!-- Session management technical profile for SAML based tokens -->
        <TechnicalProfile Id="SM-Saml-idp">
          <DisplayName>Session Management Provider</DisplayName>
          <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
          <Metadata>
            <Item Key="IncludeSessionIndex">false</Item>
            <Item Key="RegisterServiceProviders">false</Item>
          </Metadata>
        </TechnicalProfile>
      </TechnicalProfiles>
    </ClaimsProvider>

UserJourney and RelyingParty:

<UserJourneys>
    <UserJourney Id="TestSSO-SAML2">
      <OrchestrationSteps>
        <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.signuporsignin">
          <ClaimsProviderSelections>
            <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
            <ClaimsProviderSelection TargetClaimsExchangeId="TestSSOExchangeSAML2" />
          </ClaimsProviderSelections>
          <ClaimsExchanges>
            <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="2" Type="ClaimsExchange">
          <Preconditions>
            <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
              <Value>objectId</Value>
              <Action>SkipThisOrchestrationStep</Action>
            </Precondition>
          </Preconditions>
          <ClaimsExchanges>
            <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
            <ClaimsExchange Id="TestSSOExchangeSAML2" TechnicalProfileReferenceId="AADTestSSO-SAML2" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <!-- This step reads any user attributes that we may not have received when in the token. -->
        <OrchestrationStep Order="3" Type="ClaimsExchange">
          <ClaimsExchanges>
            <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
          </ClaimsExchanges>
        </OrchestrationStep>
        <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="AADTestSSO-SAML2" />
	  </OrchestrationSteps>
      <ClientDefinition ReferenceId="DefaultWeb" />
    </UserJourney>
	
	
  </UserJourneys>
  <RelyingParty>
    <DefaultUserJourney ReferenceId="TestSSO-SAML2" />
    <TechnicalProfile Id="TestSSO-SAML2-TP">
      <DisplayName>TestSSO-SAML2</DisplayName>
      <Protocol Name="SAML2" />
      <Metadata>
        <Item Key="WantsSignedRequests">false</Item>
		<Item Key="WantsSignedAssertions">false</Item>
      </Metadata>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId" />
      </OutputClaims>
      <SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="true" />
    </TechnicalProfile>
  </RelyingParty>

Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2023-03-22T22:23:00.9166667+00:00

Hi @Jigalov, Dima ,

Are you able to see any additional errors when going to Application Insights > Logs > and querying on "traces" and "exceptions" as described here? It sounds likely that this is caused by the authenticationSource value not being socialIdpAuthentication , as documented here. Could you try changing AADUserReadWithObjectId to UserReadUsingAlternativeSecurityId to see if you get the same results?

Your answer

Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator

2023-03-22T22:23:00.9166667+00:00

Hi @Jigalov, Dima ,

Are you able to see any additional errors when going to Application Insights > Logs > and querying on "traces" and "exceptions" as described here? It sounds likely that this is caused by the authenticationSource value not being socialIdpAuthentication , as documented here. Could you try changing AADUserReadWithObjectId to UserReadUsingAlternativeSecurityId to see if you get the same results?

Share via

Azure AD as IDP for Azure AD B2C CAS custom policy SAML configuration

Your answer