Null attribute values in SAML response from B2C

Question

Null attribute values in SAML response from B2C

Neil B 21

We use an external provider who use SAML for SSO, and we got this all hooked up and working with B2C months ago. In response to their SAML request we pass over a few custom attributes and if those values match the data they hold the user is successfully authenticated. Here's an example of the attributes sent over in the response:

<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <saml:Attribute Name="employeeNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="EmployeeID">
        <saml:AttributeValue xsi:type="xs:string">123456</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Email Address">
        <saml:AttributeValue xsi:type="xs:string">abc@123.com</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

To access the content on the external provider's site, our users have to login to our site first, which is B2C using OAuth.

We now have a problem with one specific user. They can login to our site fine, but when they try to access the external provider's site all attribute values sent in the B2C SAML response are null, even though their B2C account contains all the required information. Here's an example:

<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <saml:Attribute Name="employeeNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="EmployeeID">
        <saml:AttributeValue xsi:nil="true" />
    </saml:Attribute>
    <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Email Address">
        <saml:AttributeValue xsi:nil="true" />
    </saml:Attribute>
</saml:AttributeStatement>

The response also contains the B2C Object Id for that user and it is correct. We've compared the account to several others who have no problem, and apart from names, IDs etc, we cannot see anything wrong. Could this possibly be corrupt data, or is there something else that would be causing this issue? Thanks.

Siva-kumar-selvaraj 15,146 Reputation points

2022-01-25T19:42:10.677+00:00

Thanks for reaching out.

The "OutputClaims" element contains a list of claims returned by the Azure AD technical profile. so wondering if you have mapped the name of the claim defined in your policy to the name defined in Azure Active Directory? For an example, the email is usually stored in the identities collection, referred to as signInNames.emailAddress in custom policy, which is the account sign-in name, similar to the email input claim.

It's worth inspect the user with graph api and make sure the correct raw attribute names in the custom policy also you can include claims that aren't returned by the Azure Active Directory, as long as you set the DefaultValue attribute.

Here are some useful references:
Outputclaims: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile#outputclaims
AAD-UserReadUsingObjectId: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile#azure-ad-technical-provider-operations
Similar issue: https://stackoverflow.com/questions/67479047/how-do-i-add-a-user-attribute-in-a-saml-sso-response
Neil B 21 Reputation points

2022-01-27T09:36:35.303+00:00
Thanks for your reply, @sikumars-msft. Maybe I didn't provide enough information.

Once a user account is created with the external provider none of the user's details can be changed afterwards. So to make things easier to manage, and to avoid anyone accidentally changing any of these values on the user's B2C account, we created custom attributes whose values will never change, which are used in the relying party custom policy:

<OutputClaim ClaimTypeReferenceId="extension_ProviderEmployeeId" PartnerClaimType="employeeNumber" DefaultValue="" /> <OutputClaim ClaimTypeReferenceId="extension_ProviderEmail" PartnerClaimType="mail" DefaultValue="" />

These output claims are also in the AAD-UserReadUsingObjectId technical profile.

So, as there is just a single user whose output claims values get sent as null in the SAML response, I can't see that this could be a configuration problem. Is there anything else you can think of that would cause this problem?
Neil B 21 Reputation points

2022-03-04T09:56:01.07+00:00

@sikumars-msft Do you have an update on this at all? Thanks.
Siva-kumar-selvaraj 15,146 Reputation points

2022-03-04T16:18:22.333+00:00

@Neil B , Apologies for the delay in the response.

Its worth to setup Application Insights as detailed here and look into the claims bag which helps to provides more insight when dealing with claims related issue for specific users. If that didn't help, feel free to send me an email with the subject line “Attn: SivaKumarS” to AzCommunity@microsoft.com, include your subscription ID, and I will gladly open a free support case for you.
Neil B 21 Reputation points

2022-03-30T07:39:22.903+00:00

@sikumars-msft Thanks for the advice. Setting up Application Insights in a live environment is obviously going to capture personal data. Is there anyway this data can be removed from the Application Insights logs after I have finished analysing them?

Siva-kumar-selvaraj 15,146 Reputation points

2022-01-25T19:42:10.677+00:00

Thanks for reaching out.

The "OutputClaims" element contains a list of claims returned by the Azure AD technical profile. so wondering if you have mapped the name of the claim defined in your policy to the name defined in Azure Active Directory? For an example, the email is usually stored in the identities collection, referred to as signInNames.emailAddress in custom policy, which is the account sign-in name, similar to the email input claim.

It's worth inspect the user with graph api and make sure the correct raw attribute names in the custom policy also you can include claims that aren't returned by the Azure Active Directory, as long as you set the DefaultValue attribute.

Here are some useful references:
Outputclaims: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile#outputclaims
AAD-UserReadUsingObjectId: https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-technical-profile#azure-ad-technical-provider-operations
Similar issue: https://stackoverflow.com/questions/67479047/how-do-i-add-a-user-attribute-in-a-saml-sso-response
Neil B 21 Reputation points

2022-01-27T09:36:35.303+00:00

Thanks for your reply, @sikumars-msft. Maybe I didn't provide enough information.

Once a user account is created with the external provider none of the user's details can be changed afterwards. So to make things easier to manage, and to avoid anyone accidentally changing any of these values on the user's B2C account, we created custom attributes whose values will never change, which are used in the relying party custom policy:

<OutputClaim ClaimTypeReferenceId="extension_ProviderEmployeeId" PartnerClaimType="employeeNumber" DefaultValue="" /> <OutputClaim ClaimTypeReferenceId="extension_ProviderEmail" PartnerClaimType="mail" DefaultValue="" />

These output claims are also in the AAD-UserReadUsingObjectId technical profile.

So, as there is just a single user whose output claims values get sent as null in the SAML response, I can't see that this could be a configuration problem. Is there anything else you can think of that would cause this problem?
Neil B 21 Reputation points

2022-03-04T09:56:01.07+00:00

@sikumars-msft Do you have an update on this at all? Thanks.
Siva-kumar-selvaraj 15,146 Reputation points

2022-03-04T16:18:22.333+00:00

@Neil B , Apologies for the delay in the response.

Its worth to setup Application Insights as detailed here and look into the claims bag which helps to provides more insight when dealing with claims related issue for specific users. If that didn't help, feel free to send me an email with the subject line “Attn: SivaKumarS” to AzCommunity@microsoft.com, include your subscription ID, and I will gladly open a free support case for you.
Neil B 21 Reputation points

2022-03-30T07:39:22.903+00:00

@sikumars-msft Thanks for the advice. Setting up Application Insights in a live environment is obviously going to capture personal data. Is there anyway this data can be removed from the Application Insights logs after I have finished analysing them?

Null attribute values in SAML response from B2C

Activity