How to sign assertion only Azure AD B2C as IdP using Custom Policy SAML

Javier Sassen 11 Reputation points
2020-02-10T10:59:14.553+00:00

I'm trying to setup Qlik Sense SSO using Azure AD B2C as SAML IdP. I followed all steps in https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers but my SP requires the assertion to be signed. Is it possible to do this using the custom policies?

Thanks in advance!

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,703 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,092 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Enric 6 Reputation points
    2020-12-18T15:44:14.627+00:00

    Hi @AmanpreetSingh-MSFT

    I think the AD B2C signs the response, not the assertion (as AD does)

    Theoretically, via B2C custom policies you can set the XmlSignatureAlgorithm metadata property in both, the reliyingparty/technicalprofile (it is related to the response)

    https://learn.microsoft.com/es-es/azure/active-directory-b2c/relyingparty#metadata

    And also ion the "ClaimsProvider" (it should be related to the asserton)

    https://learn.microsoft.com/es-es/azure/active-directory-b2c/saml-issuer-technical-profile#metadata

    But is lools like the assertion is never signed

    Question: is the "SamlAssertionSigning" key in the Claimsprovider doing something?

    By the way, the "SamlAssertionSigning" key is not mentioned in the documentation (https://learn.microsoft.com/es-es/azure/active-directory-b2c/saml-issuer-technical-profile#metadata) has something changed?

    1 person found this answer helpful.

  2. AmanpreetSingh-MSFT 56,441 Reputation points
    2020-02-10T11:46:31.883+00:00

    @Javier Sassen If you have followed all instructions mention in https://learn.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers, you should get signed SAML assertion only. The SAML Assertion key (highlighted below) is used for this purpose:

    2771-untitled.png

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.


  3. Radosław Dudyk 1 Reputation point
    2020-07-24T12:51:23.753+00:00

    I have the same problem with Load Master .
    Did you resolve this problem?

    0 comments No comments