MS Azure AD B2C as SAML IDP not working

2019-07-29 04:03发布

Background

I have an application in which users signup/sign through AD B2C. In the application, there is a link which will redirect to another application which works on SAML so want MS Azure to work as IDP and sends SAML to the third application.

We achieved this in AAD (not AD B2C) through the non-gallery application but getting problems in AD B2C.

We followed this document https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md but when we hit the URL then it says "AADB2C: An exception has occured".

Base file - https://www.dropbox.com/s/ro6arbs57c43el2/base.xml?dl=0

Extension file - https://www.dropbox.com/s/uqojtk432b3wny1/base_Extensions.xml?dl=0

SignInSaml file - https://www.dropbox.com/s/i950s4bwwagry5k/signinsaml.xml?dl=0

1条回答
我只想做你的唯一
2楼-- · 2019-07-29 04:16

The best thing you could do is work with OIDC first and confirm the policy is working and then overwrite the step where you issue a JWT token with SAML

When working with SAML i have this format

Base Base-extensions (if you want it - i tend not to) policy-OIDC (This extends base) policy-SAML (This extends OIDC)

In the policy SAML I then override my user journey orchestration step that calls the JWTIssuer and then call my SAML token creator

The reason for this approach is B2C has been designed to work with OIDC , you can confirm that the journey is working as expected in OIDC and then switch to your SAML

Id also use the journey recorder, I find the older B2C journey recorder you get better than app insights but both track the same data

After checking my SAML in the office your missing some META data to tell SAML how to behave in your policy

      <Metadata>
    <Item Key="IdpInitiatedProfileEnabled">true</Item>
    <Item Key="RequestsSigned">false</Item>
    <Item Key="WantsSignedResponses">true</Item>
    <Item Key="ResponsesSigned">true</Item>
    <Item Key="AssertionsEncrypted">false</Item>
    <Item Key="WantsEncryptedAssertions">false</Item>
    <Item Key="PartnerEntity">https://my-calling-application/authservices</Item>
  </Metadata>
  <SubjectNamingInfo ClaimType="UserId"  />  

Your SubjectNamingInfo will also need to be http://schemas.microsoft.com/identity/claims/userprincipalname

as this is the SAAML name you defined in your base policy

查看更多
登录 后发表回答