Using one B2C SAML custom policy for multiple SPs

Vyhmeister, Ronald 0 Reputation points
2023-03-23T23:13:29.2433333+00:00

I have configured an app (Moodle) to connect to B2C as a SAML application. Everything works fine.

I created a new app registration in B2C, with the same options as the first (working) one, and even reviewed the manifests to match, with the exception of URL, name, app ID, manifest ID.

I now have a testbed for the upgrade to Moodle, and have copied all the parameters in Moodle, but I am getting this error when I try to log in using B2C:

Application registered corresponding to IssuerUri "https://moodlevappt1.llu.edu/auth/saml2/sp/metadata.php" in AuthRequest does not have assertion consumer service URL "https://moodlevappt1.llu.edu/auth/saml2/sp/saml2-acs.php/moodlevappt1.llu.edu" specified in its metadata.

The XML file is identical to the one in the functioning system, with only the servername changed and the X509 Certificate.

I'm attaching the metadata, as the server is not currently accessible from off-campus... Any feedback is appreciated.metadata.php.xml

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,262 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Marilee Turscak-MSFT 36,811 Reputation points Microsoft Employee
    2023-03-24T23:45:15.7033333+00:00

    Hi @Vyhmeister, Ronald ,

    The app registration being targeted by the SAML AuthN Request from your App to Azure AD B2C is found by looking through your App Registrations to find an App Registration that has a matching identifierURI to the issuerURI in the AuthNRequest. There cannot be any missing slashes, extra spaces, or other differences.

    Then Azure AD B2C looks at the metadata URL that is configured in the manifest of this App Registration, and checks the AssertionConsumerURL inside the metadata document, to check if the ACS in the SAML AuthN request has the same value. I do not see the AssertionConsumerURL listed in your metadata. If the application's metadata AssertionConsumerService element is missing, or you want to override it, you need to configure the application registration manifest replyUrlsWithType property.

    "replyUrlsWithType":[
      {
        "url":"https://samltestapp2.azurewebsites.net/SP/AssertionConsumer",
        "type":"Web"
      }
    ],
    

    Let me know if this helps and if you have further questions. Feel free to share app registration screenshots if you still face any issues.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar issues.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.