Profile 'JwtIssuer' in policy 'B2C_1A_signup_signin_saml' in tenant '.onmicrosoft.com' does not contain the required cryptographic key 'SamlMessageSigning'

Question

Hi ,

I am getting this message when trying to login with a Saml application.

Profile 'JwtIssuer' in policy 'B2C_1A_signup_signin_saml' in tenant '.onmicrosoft.com' does not contain the required cryptographic key 'SamlMessageSigning'

This is working fine when i use the default user Journey (signupsign) from the base file. I am trying to integrate it with the Auto Account link extension policy.

The auto account link extension policy is working fine when using OpenIdConnect protocol relying party

Answer 1

Hi @Narendrn Balachandran ,

Thank you for reaching out. I understand that you are receiving the following error when trying to login with a SAML application:

Profile 'JwtIssuer' in policy 'B2C_1A_signup_signin_saml' in tenant '.onmicrosoft.com' does not contain the required cryptographic key 'SamlMessageSigning'

A few things to check:

• Make sure you registered IdentityExperienceFramework and ProxyIdentityExperienceFramework as explained here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#register-identity-experience-framework-applications

Make sure that the JwtIssuer profile contains the SamlMessageSigning:

  <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>  

• Also make sure you have added signing and encryption keys as mentioned here: https://learn.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy#add-signing-and-encryption-keys

If you are still facing this issue, please share your technical profile so that I can help troubleshoot.

Answer 2

Sorry for the late reply. The issue was resolved by adding the Samlmessagesigning to the Jwtissuer profile.