I have an issue with Azure AD B2C with pre-created user profiles and external IDP.
The account email is created in lowercase in AD B2C, but from the external IDP, the email claim is in camel casing. (Yes I know the email should be stored in lower case)
The mapping between the email claim from external IDP and the email address on the ADB2C account is case-sensitive, which causes problems.
This can be solved using a custom policy, but we are using the standard configuration in this case.
So is there a solution for mapping claims non-case sensitive between external IDP and ADB2C user accounts, with standard configuration?
/Jonas
Unfortunately, I couldn't find any in a standard user flow.
If you are using custom policy, you can resolve it by using partnerClaimType as below.
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="preferred_username" />
Related
I am trying to have an IdP initiated sign on with a B2C Local account to Salesforce. Under my current configuration when I navigate to my IDP to login, I receive the following error: "AADB2C90250: SAML IDP initiated SSO is not enabled for this policy."
I have ensured that <Item Key="IdpInitiatedProfileEnabled">true</Item> under the technicalprofile in my custom policy. I'm not sure what other configuration to check and am looking for suggestions.
I'm using Azure AD B2C as IDP and Salesforce as IDP. Originally it was created for SP.
For PartyEntity I'm using the same endpoint for SalesForce. Do I need a different end point or can I use the same one? Here's an example of my configuration.
I have a new setup for IDP initiated and have referenced that policy below.
<Item Key="PartnerEntity">https://<MY_SALES_FORCE_ACCOUNT>.my.salesforce.com/.well-known/samlidp/<API_POLICY>.xml</Item>
<Item Key="IssuerUri">https://<MY_DOMAIN>.b2clogin.com/<MY_DOMAIN>.onmicrosoft.com/<POLICY_NAME></Item>
Any other clues on this error would be helpful. Thanks.
• Please check whether a SAML response signature is created properly or not and the certificate created to sign the SAML messages is proper or not with samlp:Response message element in the SAML message or not.
• If you don't already have a policy key, create one. Then configure the SamlMessageSigning metadata item in the SAML Token Issuer technical profile. StorageReferenceId must reference the policy key name.
• Make sure the technical profile and application use the same signature algorithm and the algorithm supports your certificate.
• Make sure the SAML service provider set the WantAssertionsSigned to true. If it's set to false or doesn't exist, the assertion section won't be signed.
• Make sure you specify the certificate to be used to sign the SAML assertions sections of the SAML response. Also, check the SamlAssertionSigning metadata item in the SAML Token Issuer technical profile where StorageReferenceId must reference the policy key name.
• Make sure encryption is enabled in the Azure AD B2C policy and the public key must exist in the SAML application's metadata endpoint with the KeyDescriptor use value set to Encryption.
• Also, make a note that scenarios where the initiating identity provider is an external identity provider federated with Azure AD B2C, such as Active Directory Federation Services or Salesforce is not supported and IdP initiated flow is supported only for local account authentication in Azure AD B2C.
Please check the below links for more information and the sample code for IdP initiated SAML single sign on: -
https://github.com/azure-ad-b2c/saml-sp/tree/master/policy/SAML-SP-Initiated
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider-options?pivots=b2c-custom-policy
https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
We have Azure ADB2C connecting to external IDPs such as Azure AD via custom policies. I am able to include given_name, family_name, preferred_username custom claims from Azure AD in the B2C token, however I cant find a way to add a phone number claim. It's not there in the list of custom claims in the token configuration for Azure AD service principal like the other three mentioned above, also I don't see the claim type for it in TrustFrameworkBase.xml. We need to display the phone number of the user on their profile page.
In the Azure AD B2C starter pack, the phone number is stored in the claim called strongAuthenticationPhoneNumber.
To add a claim to your token, see this link.
Add this to your relying party section, under outputClaims:
<OutputClaim ClaimTypeReferenceId="strongAuthenticationPhoneNumber" />
I have to use Azure Active Directory for authentication to my web application.
In my company it was suggested to use SAML instead of oauth and I am very new to SAML.
Question:
Is the purpose of SAML is only to authenticate or there is any more functionality?
There are documents to use SAML in enterprise application. So,How to implement saml from app registration?
SAML SSO is a form of delegated authentication. The user is authenticated at the identity provider site (eg Azure AD) which sends a SAML assertion containing user identity information to the service provider site. The service provider trusts this information and establishes a local authentication session for the user using the information contained in the SAML assertion. SAML assertions often contain the user's email address but any user identity information may be included. This is the primary use case for SAML and in many instances the only one supported.
Most platforms have SAML libraries etc available. It's strongly recommended you use one of these rather than trying to implement SAML yourself.
I am using Aure AD B2C to connect a .Net core application with Azure AD Enterprise application for authentication using SAML protocol. I am using custom policies to enable SAML.
I have used custom policies starter pack given in Microsoft Docs, and authentication is working properly with given name, surname, name, IDP as claims and I want so additional claims that my application is using.
I need DOB and MemberID as claims for my application and there was no option to add custom claims to the active directory where my enterprise application is.
I have another IDP setup in Okta and luckily I could add custom claims like DOB and MemberID to user profile in Okta but still I am unable to get those claims after authentication.
This is an Azure AD question.
The problem is that DoB etc. is not part of the schema.
If you are using Azure AD Connect and these attributes are in AD, you can use directory extensions to synch them up.
You can synch them up to extensionAttributes that are in the SAML drop-down.
Then add them as outputs in B2C.
If not, you can add extension attributes to Azure AD and use a custom policy REST API that calls Graph API (either directly or via Azure function) to get them.
Also refer this.
Completely new to B2C. Tried both of these walkthroughs, but I'm missing something still:
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md
http://blogs.quovantis.com/saml-based-sso-with-azure-ad-b2c-as-an-idp/
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still? The problem I have with app registration is that SalesForce gives me a token endpoint URL with a query string:
https://mycompany.cs79.my.salesforce.com/services/oauth2/token?so=00D1h000000Cnli
And B2C won't allow query strings in the reply URL.
Is there any way around this? Salesforce also supports OpenID I think, if that would be better?
::::::::::::UPDATE 6/22::::::::::
SAML:
I found and realized I was missing a critical step on the SalesForce side: adding the authentication provider to my domain's login page. Clicking the new link redirects me to B2C, but I get an immediate error from B2C. Application Insights shows the following exception:
The SAML technical profile 'serviceProviderMetadata' specifies a PartnerEntity URL of 'REMOVED', but fetching the metadata fails with reason 'For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.
OpenID:
Using this write-up as a guideline, I've registered the app in B2C and configured the SalesForce side.
Instead of using the Azure AD authorization endpoints, I pulled my B2C tenants endpoints from my meta data URL (login.microsoftonline.com/{tenant}/.well-known/openid-configuration).
This works for my B2C admin account, however, when I try try a test user that isn't a B2C admin I get the following error from the B2C sign-in page:
Sorry, but we’re having trouble signing you in.
AADSTS50020: User account 'REMOVED' from identity provider 'LINK REMOVED' does not exist in tenant 'MTB2CTest' and cannot access the application '5c8b9f4f-cf28-42fe-b629-b87251532970' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
::::::::::::UPDATE 6/23::::::::::
OpenID:
I’ve found that it works 100% only for my B2C admin account if I don’t use a policy, but doesn't work for other accounts. When I use a policy, only accounts that signed up through the policy can authenticate with B2C (which is great) – but the token doesn’t seem to be reaching SalesForce. I've created two PDFs showing the configuration details and the results from each method (policy and nopolicy) here.
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still?
Not exactly, you no need to register an app at B2C side. All the configuration you do in Policies is enough.
Did you try Salesforce SAML SSO article https://help.salesforce.com/articleView?id=sso_saml.htm&type=5
Check the above article and try to do configurations at Salesforce side and grab the details required by SAML RP
I hope by following both SAML RP and Configure SAML Settings for Single Sign-On articles you can configure B2C as IDP for Salesforce.
I stumbled on this question while trying to implement Azure AD B2C as an IdP for Salesforce. We used Open ID Connect to enable SSO between the two. This involved setting up an Application in Azure AD B2C, enabling the read scope on that application, and configuring the connection in Salesforce using that application, a custom policy returning a JWT token, and a dummy User Info endpoint.
Check out this answer for exact steps on how we set up Open ID Connect: https://stackoverflow.com/a/61639332/13484109