How to enable signed SAML assertion in Azure AD B2C

Varadharaj, Silambarasan 0 Reputation points
2024-03-05T14:35:33.2466667+00:00

Hi Team,

How to enable signed SAML assertion in AAD B2C. By default, it's coming with signed Response. But my application team needs as a signed assertion. I tried with few options but it didn't work.

I tried below options,

i) Claim provider

<CryptographicKeys>

        <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlIdpCert" />

        <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlIdpCert" />

      </CryptographicKeys>

ii) Relying party

<RelyingParty>

        <Metadata>

    <Item Key="IdpInitiatedProfileEnabled">true</Item>

	<Item Key="WantsSignedAssertions">true</Item>

</Metadata>

Can someone help me to get?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

2 answers

Sort by: Most helpful
  1. Varadharaj, Silambarasan 0 Reputation points
    2024-03-07T14:54:37.9266667+00:00

    I found the solution. I modified the Service provider's metadata as WantAssertionsSigned="true" and added as [CDATA[Your IDP metadata]]> in my relying party TechnicalProfile as below.

    <RelyingParty>

    <DefaultUserJourney ReferenceId="CustomSignUpSignIn" />
    
    <TechnicalProfile Id="PolicyProfile">
    
      <DisplayName>PolicyProfile</DisplayName>
    
      <Protocol Name="SAML2" />
    
      <Metadata>
    
        <Item Key="IdpInitiatedProfileEnabled">true</Item>
    
    	<Item Key="PartnerEntity">
    
     <![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
    

    <EntityDescriptor ID="id123456789" entityID="https://samltestapp2.azurewebsites.net" validUntil="2099-12-31T23:59:59Z" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

    <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltestapp2.azurewebsites.net/logout" ResponseLocation="https://samltestapp2.azurewebsites.net/logout" />
    
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    
        <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltestapp2.azurewebsites.net/SP/AssertionConsumer" />
    
            </SPSSODescriptor>
    
        <IDPSSODescriptor WantAuthnRequestsSigned="false" **WantAssertionsSigned="true"** protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltestapp2.azurewebsites.net/logout" ResponseLocation="https://samltestapp2.azurewebsites.net/logout" />
    
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltestapp2.azurewebsites.net/IDP/AuthNRequest" />
    
    </IDPSSODescriptor>
    

    </EntityDescriptor>

    ]]>

    </Item>
    
    0 comments No comments

  2. Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator
    2024-03-11T12:02:48.5666667+00:00

    @Varadharaj, Silambarasan

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: Unable to get signed SAML assertion in AAD B2C.

    Solution: Service provider's metadata was modified as WantAssertionsSigned="true" and added as [CDATA[Your IDP metadata]] in my relying party TechnicalProfile as below.

    <DefaultUserJourney ReferenceId="CustomSignUpSignIn" />
    
    <TechnicalProfile Id="PolicyProfile">
    
      <DisplayName>PolicyProfile</DisplayName>
    
      <Protocol Name="SAML2" />
    
      <Metadata>
    
        <Item Key="IdpInitiatedProfileEnabled">true</Item>
    
    	<Item Key="PartnerEntity">
    
     <![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
    <EntityDescriptor ID="id123456789" entityID="https://samltestapp2.azurewebsites.net" validUntil="2099-12-31T23:59:59Z" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    
    
    
    <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltestapp2.azurewebsites.net/logout" ResponseLocation="https://samltestapp2.azurewebsites.net/logout" />
    
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    
        <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltestapp2.azurewebsites.net/SP/AssertionConsumer" />
    
            </SPSSODescriptor>
    
        <IDPSSODescriptor WantAuthnRequestsSigned="false" **WantAssertionsSigned="true"** protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltestapp2.azurewebsites.net/logout" ResponseLocation="https://samltestapp2.azurewebsites.net/logout" />
    
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltestapp2.azurewebsites.net/IDP/AuthNRequest" />
    
    </IDPSSODescriptor>
    
    <EntityDescriptor ID="id123456789" entityID="https://samltestapp2.azurewebsites.net" validUntil="2099-12-31T23:59:59Z" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
    
    <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltestapp2.azurewebsites.net/logout" ResponseLocation="https://samltestapp2.azurewebsites.net/logout" />
    
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    
        <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltestapp2.azurewebsites.net/SP/AssertionConsumer" />
    
            </SPSSODescriptor>
    
        <IDPSSODescriptor WantAuthnRequestsSigned="false" **WantAssertionsSigned="true"** protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltestapp2.azurewebsites.net/logout" ResponseLocation="https://samltestapp2.azurewebsites.net/logout" />
    
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
    
        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://samltestapp2.azurewebsites.net/IDP/AuthNRequest" />
    
    </IDPSSODescriptor>
    
    

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    Thanks,

    Akshay Kaushik

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.