Connecting the ComponentSpace SAML 2.0 stack to Azure AD B2C
There is some background about using Azure AD B2C as a SAML 2.0 IDP here so read that first.
The article also has links to some Microsoft Docs articles that you should read as well.
These articles shows you how to do the basic B2C and SAML setup, using the SAMLTest application as the SP.
This article shows how to use ComponentSpace (CS) as the SP.
I used the CS MVC SSO sample “MvcExampleServiceProvider” for this.
The first step is to upload the CS sp.pfx to B2C. The steps are described here.
The password for the pfx file is “password”.
Replace “tenant” below with the actual name of your B2C tenant.
In the manifest for your B2C application, set:
"identifierUris": [
"https://5cg0107dz7/MvcExampleServiceProvider"
],where “5cg0107dz7” is my PC where the CS stack runs. You could use e.g “localhost” for your implementation.
and:
"replyUrlsWithType": [
{
"url": "http://5cg0107dz7/MvcExampleServiceProvider/SAML/AssertionConsumerService",
"type": "Web"
}
],In the CS web.config:
<!-- The partner identity provider for SSO. -->
<add key="PartnerIdP" value="https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_SAML2_CS_signup_signin"/>and in the CS saml.config:
<!-- Azure AD B2C -->
<PartnerIdentityProvider Name="https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_SAML2_CS_signup_signin"
SignLogoutRequest="true"
WantSAMLResponseSigned="false"
WantAssertionSigned="true"
WantLogoutResponseSigned="true"
UseEmbeddedCertificate="false"
ClockSkew="00:03:00" SingleSignOnServiceUrl="https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_SAML2_CS_signup_signin/samlp/sso/login" SingleLogoutServiceUrl="https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_SAML2_CS_signup_signin/samlp/sso/logout"
PartnerCertificateFile="B2C.cer"/>The B2C SAML metadata is at:
https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_SAML2_CS_signup_signin/Samlp/metadata
You derive B2C.cer as in the above config. as per this by following:
- Go to the metadata URL specified above.
- Copy the value in the
<X509Certificate>element. - Paste it into a text file.
- Save the text file as a B2C.cer file.
- Put this into the CS sample directory i.e. the same directory that contains sp.pfx and sp.cer.
Note: Use the certificate where the “use=”signing””
<KeyDescriptor use="signing">
<KeyInfo>
<X509Data>
<X509Certificate>
MII...pzM=
</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>The actual custom policy as usual is in this gist.
This inherits from “B2C_1A_TrustFrameworkExtensions” and contains the “SignUpOrSigninSAML” RelyingParty.
This custom policy relies on the SP providing metadata and it needs to be in a location accessible by B2C.
If this is not possible, you can add the metadata as a CDATA element in the custom policy which is what I did.
There is no metadata for this policy so I used the CS “Export metadata” utility to create it.
exportmetadata https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_SAML2_CS_signup_signin metadata.xml
Loading SAML configuration file saml.config.
Saving SAML metadata to metadata.xml.
The first value is the value you configured for “PartnerIdentityProvider”.
The second value is the name you want for the metadata file.
The metadata is placed in the “PartnerEntity” element in the RelyingParty custom policy.
<Item Key="PartnerEntity"><
Click “SSO”.
Authenticate with the local B2C user credentials:
Success!
To use the IDPInitiated flow, you need to add:
<Item Key="IdpInitiatedProfileEnabled">true</Item>in the metadata for the RelyingParty custom policy.
You can see both of these metadata updates (CDATA and IDPInitiated) in the gist above.
The IDPInitiated URL is:
where the “EntityId” is the “identifierUris” entry as per the value in the manifest.
Running this gives the same attribute screen as above.
All good!
