Share via

Does Azure AD B2C support SAML HTTP-Artifact binding?

Teddy EL-KHOURY 0 Reputation points
2024-07-18T13:00:34.8033333+00:00

I'm trying to delegate Authentication from Oracle Fusion Applications Cloud (Service Provider) to MS Azure AD B2C (Identity Provider) for our external users (example: suppliers).

Oracle Fusion Cloud only supports SAML so we followed the steps documented here:  https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider-options?pivots=b2c-custom-policy

After setting up the required steps I'm getting the following error:

AADB2C99025: The specified SAML Binding method 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact' is not supported

I noticed in the Metadata from Oracle Fusion Cloud the following section:

<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location=https://xxxx.oraclecloud.com/oam/server/fed/sp/sso index="0" isDefault="true" />
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location=https://xxxx.oraclecloud.com/oam/server/fed/sp/sso index="1" />

For testing purposes, I tried changing the order: HTTP-POST -> index="0" (or removing the first statement completely) ) and it works (in both cases). However, it's not a permanent solution because I would like to use the Fusion Metada endpoint rather thant injecting the metadata (CDATA) in the custom policy.

Question: If Azure AD B2C doesn't support HTTP-Artifact, is there something that we can do to change the behaviour, so HTTP-POST takes precedence?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,566 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raja Pothuraju 1,760 Reputation points Microsoft Vendor
    2024-07-22T05:25:52.4166667+00:00

    Hello @Teddy EL-KHOURY,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, it seems you've configured a SAML-based application in your B2C tenant. However, upon configuration, you encountered an error indicating "AADB2C99025: The specified SAML Binding method 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact' is not supported".

    Cause: Yes, B2C Natively Doesn’t Support HTTP-Artifact Bindings.

    Remediation: SAML Idp should Ideally use Http-Post or Http-Redirect Bindings.

    That's why removing the HTTP-Artifact line from Oracle Fusion Cloud Metadata or changing the index value to "0" for HTTP-POST allowed it to function normally again.

    SAML Identity Providers (IDP) Metadata should ideally use Http-Post or Http-Redirect Bindings, as shown below:

    </md:KeyDescriptor>
	
	<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test-dev-ed.my.salesforce.com/services/auth/idp/saml2/logout"/>
	
	<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test-dev-ed.my.salesforce.com/services/auth/idp/saml2/logout"/>
	
	<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
	
	<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://test-dev-ed.my.salesforce.com/idp/endpoint/HttpPost"/>
	
	<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://test-dev-ed.my.salesforce.com/idp/endpoint/HttpRedirect"/>
	
	</md:IDPSSODescriptor>
	
	</md:EntityDescriptor>

    Ensure your SAML IDP Metadata adheres to these specifications to avoid compatibility issues with Azure AD B2C.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Thanks,
    Raja Pothuraju.