Azure b2c as identity provider for zendesk application problem with sessionIndex on logout

Kasia Kielbasa (Group) 6 Reputation points
2022-05-04T00:22:04.017+00:00

Hi,

I have set the SSO for Zendesk with Azure b2c tenant as Identity Provider (Azure b2c local accounts only) and idp initiated flow using this documentation: https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy. Here is how Technical Profile and Relying Party configured in Custom Policy for SAML:

<ClaimsProviders>  
    <ClaimsProvider>  
        <DisplayName>Saml Token Issuer</DisplayName>  
        <TechnicalProfiles>  
            <!-- Sample: SAML Token Issuer technical profile -->  
            <TechnicalProfile Id="Saml2AssertionIssuer">  
                <DisplayName>Token Issuer</DisplayName>  
                <Protocol Name="SAML2" />  
                <OutputTokenFormat>SAML2</OutputTokenFormat>  
                <Metadata>  
                    <Item Key="IssuerUri">http://{tenant}/{}.onmicrosoft.com/B2C_1A_signin_Zendesk</Item>  
                    <Item Key="XmlSignatureAlgorithm">Sha256</Item>  
                </Metadata>  
                <CryptographicKeys>  
                    <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlIdpCert" />  
                    <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlIdpCert" />  
                    <Key Id="SamlAssertionDecryption" StorageReferenceId="B2C_1A_SamlIdpCert" />  
                </CryptographicKeys>  
                <InputClaims />  
                <OutputClaims />  
                <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer" />  
            </TechnicalProfile>  
            <!-- Session management technical profile for SAML based tokens -->  
            <TechnicalProfile Id="SM-Saml-issuer">  
                <DisplayName>Session Management Provider</DisplayName>  
                <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />  
            </TechnicalProfile>  
        </TechnicalProfiles>  
    </ClaimsProvider>  
</ClaimsProviders>  

<RelyingParty>  
    <DefaultUserJourney ReferenceId="CustomSignUpOrSignIn" />  
    <UserJourneyBehaviors>  
        <SessionExpiryType>Rolling</SessionExpiryType>  
        <SessionExpiryInSeconds>86400</SessionExpiryInSeconds>  
        <ScriptExecution>Allow</ScriptExecution>  
    </UserJourneyBehaviors>  
    <TechnicalProfile Id="PolicyProfile">  
        <DisplayName>PolicyProfile</DisplayName>  
        <Protocol Name="SAML2" />  
        <Metadata>  
            <Item Key="IdpInitiatedProfileEnabled">true</Item>  
            <Item Key="XmlSignatureAlgorithm">Sha256</Item>  
        </Metadata>  
        <OutputClaims>  
            <OutputClaim ClaimTypeReferenceId="signInNames.emailAddress" PartnerClaimType="sub" />  
            <OutputClaim ClaimTypeReferenceId="givenName" />  
            <OutputClaim ClaimTypeReferenceId="surname" />  
            <OutputClaim ClaimTypeReferenceId="tenantId" AlwaysUseDefaultValue="true" DefaultValue="{Policy:TenantObjectId}" />  
        </OutputClaims>  
        <SubjectNamingInfo ClaimType="sub" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" ExcludeAsClaim="false" />  
    </TechnicalProfile>  
</RelyingParty>  

In manifest I have set up identifierUris, samlMetadataUrl which is similar to the one from Zendesk documentatation(https://support.zendesk.com/hc/en-us/articles/4408887505690-Enabling-SAML-single-sign-on):

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="yoursubdomain.zendesk.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://yoursubdomain.zendesk.com/access/saml"/>
</SPSSODescriptor>
</EntityDescriptor>

Sign in works as expected.

For sign out I am calling url from SingleLogoutService (setup as remote logout URL in Zendesk configuration) <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_signin_Zendesk/samlp/sso/logout"/>.
Sign out doesn't work. I am getting the message from Azure b2c: 'AADB2C99046: The logout request does not include a session index.'. Logout request is issued by SP, ie. Zendesk as per their implementation and it just happens to not contain session index:

<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="samlr-ca7b06d7-1119-490c-8567-577167fa5f62" IssueInstant="2022-05-03T21:51:38Z" Version="2.0">
<saml:Issuer>https://blabla.zendesk.com</saml:Issuer>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">test@test .com</saml:NameID>
</samlp:LogoutRequest>

What can be done in this situation? Should there be additional wrapper service between Azure b2c and Zendesk that will read the session index from SAML login response and add it to logout request issued by zendesk and then this new request can be send to SingleLogoutService from Azure b2c tenant?
Or there is a smarter way of handling SAML logout in Azure when I don't have session index on logout request from Zendesk (maybe I am missing something in my configuration)?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,769 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,589 questions
{count} vote