Share via

SAML setup for Azure AD B2C vs Azure AD

Anveeg Sinha 0 Reputation points
2023-05-18T04:49:50.87+00:00

I have to integrate a third party application for SAML authentication

The third party application provided their setup guide for Azure AD, but our application need Azure AD B2C.

According to their guide I have to add an enterprise application.

Since B2C does not have an enterprise application I added in "App Registeration"

Next step is to add SAML configuration - Identifier (Entity ID), Reply URL (Assertion Consumer Service URL) , Sign-On URL, Relay State
For AD this setup is done directly on "Set Up SSO with SAML" screen.

But in B2C I have to update the manifest file. Here I am unsure where to add the Sign-On URL and Relay State.

Also the integration requires me to download the metadata.xml file. How can I download it in B2C?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-05-19T00:21:47.89+00:00

    Hi @Anveeg Sinha ,

    Like you mentioned, you need to register your application as a SAML application in B2C. The steps for registering a SAML application in B2C are documented in Register a SAML application in Azure AD B2C. You need to create a custom policy to define how users interact with your application and connect your SAML application to B2C.

    You can access the policy metadata XML here:

    https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/samlp/metadata

    The RelayState parameter is optional. If you needed to included it you would add it in the URL parameter like this example for IdP-initiated flow for sign in or sign up:

    https://<tenant-name>.b2clogin.com/<tenant-name>.onmicrosoft.com/<policy-name>/generic/login?EntityId=<app-identifier-uri>&RelayState=<relay-state>

    You would replace the relay-state parameter with a value included in the authorization request that also is returned in the token response (which should come from the service providers), such as the page the user was on before the authentication request occurred.

    https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory-b2c/saml-service-provider-options.md

    The sign-on URL the SAML App is the destination in SAML request. Examples here:

    https://github.com/MicrosoftDocs/azure-docs/blob/main/articles/active-directory-b2c/saml-service-provider-options.md

    https://medium.com/the-new-control-plane/idpinitiated-sign-on-with-azure-ad-73e252c9c370

    Let me know if this helps and if you have further questions.

    If the information helped you, please Accept the answer. This will help us as well as others in the community who may be researching similar questions.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.