MS Azure AD B2C as SAML IDP not working

2019-07-29 03:56发布

站内文章 / 前沿技术
34 0 0

问题:

Background

I have an application in which users signup/sign through AD B2C. In the application, there is a link which will redirect to another application which works on SAML so want MS Azure to work as IDP and sends SAML to the third application.

We achieved this in AAD (not AD B2C) through the non-gallery application but getting problems in AD B2C.

We followed this document https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md but when we hit the URL then it says "AADB2C: An exception has occured".

Base file - https://www.dropbox.com/s/ro6arbs57c43el2/base.xml?dl=0

Extension file - https://www.dropbox.com/s/uqojtk432b3wny1/base_Extensions.xml?dl=0

SignInSaml file - https://www.dropbox.com/s/i950s4bwwagry5k/signinsaml.xml?dl=0

回答1:

The best thing you could do is work with OIDC first and confirm the policy is working and then overwrite the step where you issue a JWT token with SAML

When working with SAML i have this format

Base Base-extensions (if you want it - i tend not to) policy-OIDC (This extends base) policy-SAML (This extends OIDC)

In the policy SAML I then override my user journey orchestration step that calls the JWTIssuer and then call my SAML token creator

The reason for this approach is B2C has been designed to work with OIDC , you can confirm that the journey is working as expected in OIDC and then switch to your SAML

Id also use the journey recorder, I find the older B2C journey recorder you get better than app insights but both track the same data

After checking my SAML in the office your missing some META data to tell SAML how to behave in your policy

      <Metadata>
    <Item Key="IdpInitiatedProfileEnabled">true</Item>
    <Item Key="RequestsSigned">false</Item>
    <Item Key="WantsSignedResponses">true</Item>
    <Item Key="ResponsesSigned">true</Item>
    <Item Key="AssertionsEncrypted">false</Item>
    <Item Key="WantsEncryptedAssertions">false</Item>
    <Item Key="PartnerEntity">https://my-calling-application/authservices</Item>
  </Metadata>
  <SubjectNamingInfo ClaimType="UserId"  />

Your SubjectNamingInfo will also need to be http://schemas.microsoft.com/identity/claims/userprincipalname

as this is the SAAML name you defined in your base policy



标签: azure-ad-b2c
举报

收藏的人(0)

Ta的文章 更多文章
登录 后发表评论
0条评论
还没有人评论过~