How to generate public certiciate for Azure AD B2C ( SAML custom policy )

Question

How to generate public certiciate for Azure AD B2C ( SAML custom policy )

Hiep To Dinh 20

Hi support,

We're going to have the deployment integrate with Azure AD B2C (SAML)
To connect with SAML, we need the have the certificate (X509) for signing and encrytion the request uploaded to B2C. On the DEV and TEST, we could use self-signed cerficate but on PROD, it would be best to have you generate the cert from public certificate authority.

To generate the cert, we need to add TXT domain for onmicrosoft.com?

How could we do that

-Subject "CN=yourappname.yourtenant.onmicrosoft.com" `

More detail document here:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
In a production environment, we recommend using certificates that a public certificate authority has issued. But you can also complete this procedure with self-signed certificates.

Best,

JimmySalian-2011 45,236 Reputation points Volunteer Moderator

2023-07-08T20:34:35.4133333+00:00

Hi,

No you do not need to create a txt file as this is required for the DNS integration, for Certificate generation you will need to extract the CSR file and share it with the third party provider of Certificates. Check the steps here as an example but different providers will have similar steps -https://support.globalsign.com/digital-certificates/digital-certificate-installation/generating-and-importing-certificate-microsoft-azure-key-vault
Hiep To Dinh 20 Reputation points

2023-07-09T20:50:42.0733333+00:00

Hi JimmySalian-2011,

Look like in Azure AD B2C I couldn't generate the CSR file as the one in your article

Answer accepted by question author

0 additional answers

Your answer

JimmySalian-2011 45,236 Reputation points Volunteer Moderator

2023-07-08T20:34:35.4133333+00:00

Hi,

No you do not need to create a txt file as this is required for the DNS integration, for Certificate generation you will need to extract the CSR file and share it with the third party provider of Certificates. Check the steps here as an example but different providers will have similar steps -https://support.globalsign.com/digital-certificates/digital-certificate-installation/generating-and-importing-certificate-microsoft-azure-key-vault
Hiep To Dinh 20 Reputation points

2023-07-09T20:50:42.0733333+00:00

Hi JimmySalian-2011,

Look like in Azure AD B2C I couldn't generate the CSR file as the one in your article

Answer 1

Konstantinos Passadis 19,696 MVP

Hello @Hiep To Dinh !

Welcome to Microsoft QnA!

For this procedure you cannot verify the onmicrosoft Domain

you need a Custom Domain to vaidate

https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-domain?pivots=b2c-user-flow

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Hiep To Dinh 20 Reputation points

2023-07-07T11:45:01.6966667+00:00

Thanks! It sounds reasonable.

So for the case of not using custom domains, maybe I could just go with a self-signed certificate will that be enough?
Konstantinos Passadis 19,696 Reputation points MVP

2023-07-07T11:48:00.8833333+00:00

Hello @Hiep To Dinh !

Exactly , and as you already said , not recommended , try to avoid it for Prod use!

Regards!

Share via

How to generate public certiciate for Azure AD B2C ( SAML custom policy )

0 additional answers

Your answer