question

JavierSassen-8090 avatar image
2 Votes"
JavierSassen-8090 asked SvenMawby-3955 commented

How to sign assertion only Azure AD B2C as IdP using Custom Policy SAML

I'm trying to setup Qlik Sense SSO using Azure AD B2C as SAML IdP. I followed all steps in https://docs.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers but my SP requires the assertion to be signed. Is it possible to do this using the custom policies?

Thanks in advance!

azure-ad-b2cazure-ad-single-sign-onazure-ad-authentication-protocols
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I have finally got this working - the key is to also have a SP metadata document that asks for SAML assertion signing. The metadata document can be hosted anywhere (as long as its over SSL) and must ask for SAML assertion signing. The MSDN documentation has been updated too


84722-1.jpg

84666-2.jpg

84701-3.jpg


0 Votes 0 ·
1.jpg (322.6 KiB)
2.jpg (93.4 KiB)
3.jpg (243.4 KiB)
1.jpg (408.7 KiB)
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

@JavierSassen-8090 If you have followed all instructions mention in https://docs.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers, you should get signed SAML assertion only. The SAML Assertion key (highlighted below) is used for this purpose:

2771-untitled.png


Please "Accept as answer" wherever the information provided helps you to help others in the community.


untitled.png (24.2 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Unfortunately this doesn't solve my issues. When comparing SAML Response generated by AAD (which works) and the response generated by B2C custom policy (this response doesn't work) I see different orders:

2753-differences-saml-responses.png

Could you possibly help me any further?


0 Votes 0 ·

@JavierSassen-8090 I don't think order should cause any issue here.

I would suggest you to start debugging from the application side as the token is issued by B2C and the application is failing to consume that token. Starting by looking into the application logs would help narrowing down the issue. The problem can be due to signature algorithm as I can see AAD is using rsa-sha256 and B2C is using rsa-sha1 but that's a wild guess.

0 Votes 0 ·
RadosawDudyk-9281 avatar image
0 Votes"
RadosawDudyk-9281 answered

I have the same problem with Load Master .
Did you resolve this problem?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Enric-2463 avatar image
1 Vote"
Enric-2463 answered SvenMawby-3955 commented

Hi @amanpreetsingh-msft

I think the AD B2C signs the response, not the assertion (as AD does)

Theoretically, via B2C custom policies you can set the XmlSignatureAlgorithm metadata property in both, the reliyingparty/technicalprofile (it is related to the response)

https://docs.microsoft.com/es-es/azure/active-directory-b2c/relyingparty#metadata

And also ion the "ClaimsProvider" (it should be related to the asserton)

https://docs.microsoft.com/es-es/azure/active-directory-b2c/saml-issuer-technical-profile#metadata

But is lools like the assertion is never signed

Question: is the "SamlAssertionSigning" key in the Claimsprovider doing something?

By the way, the "SamlAssertionSigning" key is not mentioned in the documentation (https://docs.microsoft.com/es-es/azure/active-directory-b2c/saml-issuer-technical-profile#metadata) has something changed?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This is still an issue - did you find a workaround @Enric-2463 ?

Hi @amanpreetsingh-msft - as @JavierSassen-8090 posted, AAD B2C is signing the message but not the assertion. Its definitely a feature that isn't implemented

The updated documentation links are https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory-b2c/saml-issuer-technical-profile.md#cryptographic-keys which shows MetadataSigning and SamlMessageSigning as the 2 supported CryptographicKeys element.

The document at https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/active-directory-b2c/saml-service-provider.md#enable-your-policy-to-connect-with-a-saml-application still references the (non-existent and non-working?) SamlAssertionSigning key

0 Votes 0 ·

It seems like assertion signing is still not possible, is there any plan on implementing this in future?

0 Votes 0 ·