Null attribute values in SAML response from B2C

Neil B 21 Reputation points
2022-01-21T13:02:35.15+00:00

We use an external provider who use SAML for SSO, and we got this all hooked up and working with B2C months ago. In response to their SAML request we pass over a few custom attributes and if those values match the data they hold the user is successfully authenticated. Here's an example of the attributes sent over in the response:

<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <saml:Attribute Name="employeeNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="EmployeeID">
        <saml:AttributeValue xsi:type="xs:string">123456</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Email Address">
        <saml:AttributeValue xsi:type="xs:string">abc@123.com</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>

To access the content on the external provider's site, our users have to login to our site first, which is B2C using OAuth.

We now have a problem with one specific user. They can login to our site fine, but when they try to access the external provider's site all attribute values sent in the B2C SAML response are null, even though their B2C account contains all the required information. Here's an example:

<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
    <saml:Attribute Name="employeeNumber" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="EmployeeID">
        <saml:AttributeValue xsi:nil="true" />
    </saml:Attribute>
    <saml:Attribute Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Email Address">
        <saml:AttributeValue xsi:nil="true" />
    </saml:Attribute>
</saml:AttributeStatement>

The response also contains the B2C Object Id for that user and it is correct. We've compared the account to several others who have no problem, and apart from names, IDs etc, we cannot see anything wrong. Could this possibly be corrupt data, or is there something else that would be causing this issue? Thanks.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,630 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,325 questions
{count} votes