Azure B2C multitenant SAML app login

Question

Azure B2C multitenant SAML app login

robcool 116

How can I configure my SAML app in B2C to enable login from multitenant Azure AD using an extensionattribute ?
Can anyone please point to some sample code to achieve this ?

1 answer

Your answer

Answer 1

AmanpreetSingh-MSFT 56,876 Moderator

Hi @robcool • Thank you for reaching out.

Unfortunately, there is no sample readily available for this scenario. However, you can follow below steps to achieve your requirements:

Follow the instructions mentioned in Register a SAML application in Azure AD B2C, for SAML application to integrate with B2C.
Once done, update the TrustframeworkExtensions file as per the instructions provided here: Set up sign-in for multi-tenant Azure Active Directory using custom policies in Azure Active Directory B2C
To collect extension attribute during sign-up/first sign-in of new users, follow the steps mentioned here: Add user attributes and customize user input in Azure Active Directory B2C

Login from multitenant Azure AD using an extensionattribute is not possible as the authentication will be done by standard Azure AD tenant. You will have to either use UPN or Alternate login ID (if configured), in order to sign in.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

robcool 116 Reputation points

2021-11-09T01:36:10.74+00:00

Thanks @AmanpreetSingh-MSFT

I'm trying to read the NameID element as a claim in a B2C TechnicalProfile for a SAML2 Azure AD identity provider. Tried adding the attribute in output claim as below:

<OutputClaim ClaimTypeReferenceId="employeeId" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" />

However, it doesn't show up the value. Any thoughts ?
AmanpreetSingh-MSFT 56,876 Reputation points Moderator

2021-11-10T14:21:55.48+00:00

Hi @robcool • To get the claim in the token which is presented to the application, the output claim needs to be added to the RP file (your signup_signin.xml file) in addition to the output claim in the Technical profile for SAML IDP.
robcool 116 Reputation points

2021-11-12T11:39:53.91+00:00

Hi @AmanpreetSingh-MSFT

I did add the output claim in the RelyingParty as well but still it doesnt't show up the value of the nameidentifier for employeeID.
Any thoughts ?
AmanpreetSingh-MSFT 56,876 Reputation points Moderator

2021-11-16T09:58:36.027+00:00

Hi @robcool • To get the employee id as name id in the saml token, you need to update the SubjectNamingInfo tag in the RP file as highlighted below:

Below is how it is returned in the saml response:

<saml:Subject><saml:NameID>123456</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2021-11-16T09:38:31.6826433Z" Recipient="https://samltestapp2.azurewebsites.net/SP/AssertionConsumer" InResponseTo="_628899197" /></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2021-11-16T09:33:31.6826433Z" NotOnOrAfter="2021-11-16T09:38:31.6826433Z"><saml:AudienceRestriction>

Also, make sure the employee ID attribute must have a value populated.
robcool 116 Reputation points

2021-11-22T07:44:04.157+00:00

Hi @AmanpreetSingh-MSFT

Below are the changes implemented in my custom policy files:

TrustFramework Extensions:

AzureAD TechnicalProfile - Output claim

Relying Party- Output claim

While retrieving claims, it shows all the attributes except for employeeID however, user identity has employeeid attribute with value.

I'm receiving the SAML error message on screen saying :

The relying party technical profile specifies the claim type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' as the subject naming info claim, but the claim is not present or is null.
AmanpreetSingh-MSFT 56,876 Reputation points Moderator

2021-11-23T05:40:46.46+00:00

Hi @robcool • Is the Azure AD technical profile, you have provided above, for a federated Azure AD tenant? If yes, you have specified the PartnerClaimType for employeeid as nameid, you need to make sure that the PartnerClaimType matches with the claim name, in which the federated Azure AD tenant is sending the employeeid.

Share via

Azure B2C multitenant SAML app login

1 answer

Your answer