Open in app

Sign in

Write

Sign in

Using Azure AD B2C as a SAML IDP with the IDP Initiated flow

Rory Braybrook
The new control plane
Published in
3 min readNov 5, 2019

First read my previous post for a lot of the background so I don’t have to repeat it twice.

That post covers the SP Initiated scenario.

This post uses a different branch (for IDP Initiated) in the Github sample. The documentation is here.

From the readme in the sample:

“Here an external IdP must send a SAML assertion to AAD B2C. It will not work with B2C local accounts.

The SAML IdP Technical Profile must contain the following metadata item for IdP Initiated logons to work.

<Item Key="IdpInitiatedProfileEnabled">true</Item>

AAD B2C will validate the SAML assertion using the IdP’s metadata endpoint as presented in the TESTIDP technical profile

<Item Key="PartnerEntity">https://samltestsp.azurewebsites.net/Metadata</Item>.

AAD B2C will then pass through the claims in this example to a SAML Assertion issued back to the SAML Relying party. You can use the claims to look up and read/write an account if needed, similar to how the social account samples work.

To test this policy, you can use the

https://samltestsp.azurewebsites.net/IDP

endpoint. This endpoint will generate a SAML Assertion for a dummy user to AAD B2C. Fill in your tenant and policy Id to execute an IdP Initiated request. The response will come back to the same website as it acts as both an IdP and SP.”

Some notes around this:

IDP Initiated implies that you authenticate on some other IDP and then send a SAML AuthnResponse to B2C with the authenticated user’s attributes. Because B2C trusts this IDP, it also trusts the user attributes.

The point is that this user is not a user in B2C, hence the comment:

“It will not work with B2C local accounts”.

B2C uses the IDP’s metadata endpoint so you cannot run the .NET test app. as per the previous post on localhost because B2C can’t get to it. The “samltestsp” endpoint above is in fact this test application deployed to Azure as a web site.

As usual, the gist is here. Note that it doesn’t include the base and extensions XML files are these are the same as the previous post.

If you search for “<! — Action”, you’ll see the changes I made to the original XML.

So let’s run the test application on Azure:

Home page - SAMLTEST

This application is desigend to test SAML Interaction with Azure AD B2C. It includes the Identity Provider, Service…

samltestsp.azurewebsites.net

This time we click the “Identity provider” tab.

Enter the tenant name and the B2C policy and login.

The application “fakes” an authentication and sends the SAML AuthResponse to B2C with some dummy attributes. The raw SAML proves that this is using the SAML 2.0 protocol.

Success!

All good!

Azure Active Directory
B2c
Saml2
Custom Policies
Authentication

--

--

Rory Braybrook
The new control plane

Written by Rory Braybrook

692 Followers
Editor for

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams