Using Azure AD B2C as a SAML IDP with the SP Initiated flow
B2C provides support for connecting to a SAML IDP.
“ With a SAML technical profile you can federate with a SAML-based identity provider, such as ADFS and Salesforce. This federation allows your users to sign in with their existing social or enterprise identities.”
But what if you want B2C to act as the SAML IDP? In this scenario, your application will be a SAML SP.
There is a sample that shows how to do this. Note that this is currently in preview.
The GitHub readme in the above sample documents the steps you need to follow.
First you need to create and upload a self-signed certificate.
Then you need to:
- Create the SAML Token Issuer
- Setup the user journey
- Add the SAML Relaying Party policy
- Setup the SAML IdP in the App / SAML RP
as per the readme.
As usual, the gist with the custom policies is here.
To test, I used this SAML client.
“The SAMLTEST web application is a DotNetCore2 SAML Identity Provider and Service Provider.
This application is designed to be used with Azure AD B2C for testing / training of SAML Policies.”
So run up the application.
Note: On my PC, this runs as http://localhost:63699/.
Click the “Metadata” button.
This needs to be copy / pasted into SignUpOrSignin.xml as CDATA e.g.
<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSigninSAML" /><TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="SAML2"/>
<Metadata>
<!--Action required: Set the value PartnerEntity to URL of SP metadata or
embed the metadata directly, using <![CDATA[]]>-->
<!-- <Item Key="PartnerEntity">https://my-account.blob.core.windows.net/azure-ad-b2c/spring_saml_metadata.xml</Item> --><Item Key="PartnerEntity">
<![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<EntityDescriptor ID="id123456789" entityID="http://localhost:63699" validUntil="2099-12-31T23:59:59Z" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:63699/logout" ResponseLocation="http://localhost:63699/logout" />
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:63699/SP/AssertionConsumer" />
</SPSSODescriptor>
<IDPSSODescriptor WantAuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:63699/logout" ResponseLocation="http://localhost:63699/logout" />
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:63699/IDP/AuthNRequest" />
</IDPSSODescriptor>
</EntityDescriptor>
]]>
</Item>
You also need to configure the B2C SAML Token Issuer technical profile metadata.
<Metadata>
<!-- Action required: make sure value is the same one as configured in the relaying party application-->
<Item Key="IssuerUri">https://tenant.b2clogin.com/tenant.onmicrosoft.com/SignUpOrSigninSAML</Item>
</Metadata>In the more general case, the B2C metadata URL is:
https://tenant-name.b2clogin.com/tenant-name.onmicrosoft.com/policy-name/Samlp/metadataNotice the token issuer:
<OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer" />It’s a SAML issuer rather than a JWT issuer.
Let’s test it. Click the “Service Provider” tab.
Enter the tenant name and the B2C policy.
We see the normal B2C signup / signin screen.
Enter your B2C credentials, login and success.
You can see from the raw SAML that it is indeed running the SAML 2.0 protocol and B2C is acting as the SAML IDP.
At the bottom of the readme, there are some examples:
The ADFS link e.g. shows how it all fits together:
All good.
