Using Azure AD B2C as a SAML IDP with the SP Initiated flow

Rory Braybrook
Nov 4 · 3 min read

B2C provides support for connecting to a SAML IDP.

“ With a SAML technical profile you can federate with a SAML-based identity provider, such as ADFS and Salesforce. This federation allows your users to sign in with their existing social or enterprise identities.”

But what if you want B2C to act as the SAML IDP? In this scenario, your application will be a SAML SP.

There is a sample that shows how to do this. Note that this is currently in preview.

The GitHub readme in the above sample documents the steps you need to follow.

First you need to create and upload a self-signed certificate.

Then you need to:

  • Create the SAML Token Issuer
  • Setup the user journey
  • Add the SAML Relaying Party policy
  • Setup the SAML IdP in the App / SAML RP

as per the readme.

As usual, the gist with the custom policies is here.

To test, I used this SAML client.

“The SAMLTEST web application is a DotNetCore2 SAML Identity Provider and Service Provider.

This application is designed to be used with Azure AD B2C for testing / training of SAML Policies.”

So run up the application.

Note: On my PC, this runs as http://localhost:63699/.

Click the “Metadata” button.

This needs to be copy / pasted into SignUpOrSignin.xml as CDATA e.g.

<RelyingParty>
<DefaultUserJourney ReferenceId="SignUpOrSigninSAML" />
<TechnicalProfile Id="PolicyProfile">
<DisplayName>PolicyProfile</DisplayName>
<Protocol Name="SAML2"/>
<Metadata>
<!--Action required: Set the value PartnerEntity to URL of SP metadata or
embed the metadata directly, using <![CDATA[]]>-->
<!-- <Item Key="PartnerEntity">https://my-account.blob.core.windows.net/azure-ad-b2c/spring_saml_metadata.xml</Item> -->
<Item Key="PartnerEntity">
<![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<EntityDescriptor ID="id123456789" entityID="http://localhost:63699" validUntil="2099-12-31T23:59:59Z" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:63699/logout" ResponseLocation="http://localhost:63699/logout" />
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:63699/SP/AssertionConsumer" />
</SPSSODescriptor>
<IDPSSODescriptor WantAuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:63699/logout" ResponseLocation="http://localhost:63699/logout" />
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:63699/IDP/AuthNRequest" />
</IDPSSODescriptor>
</EntityDescriptor>
]]>
</Item>

You also need to configure the B2C SAML Token Issuer technical profile metadata.

<Metadata>
<!-- Action required: make sure value is the same one as configured in the relaying party application-->
<Item Key="IssuerUri">https://tenant.b2clogin.com/tenant.onmicrosoft.com/SignUpOrSigninSAML</Item>
</Metadata>

In the more general case, the B2C metadata URL is:

https://tenant-name.b2clogin.com/tenant-name.onmicrosoft.com/policy-name/Samlp/metadata

Notice the token issuer:

<OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer" />

It’s a SAML issuer rather than a JWT issuer.

Let’s test it. Click the “Service Provider” tab.

Enter the tenant name and the B2C policy.

We see the normal B2C signup / signin screen.

Enter your B2C credentials, login and success.

You can see from the raw SAML that it is indeed running the SAML 2.0 protocol and B2C is acting as the SAML IDP.

At the bottom of the readme, there are some examples:

The ADFS link e.g. shows how it all fits together:

All good.

The new control plane

Rory Braybrook

Written by

NZ Microsoft Identity dude. Microsoft MVP. Azure AD/B2C/ADFS. Plus Auth0/identityserver. N. Shore .NET UG Admin. Presentations: http://bit.ly/334ZPt5

The new control plane

“Identity is the new control plane”. Articles around Microsoft Identity, Auth0 and identityserver. Click the “Archive” link at the bottom for more posts.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade