I'm trying to use Azure AD B2C as a SAML Identity Provider.
I am aware that several locations on the web state that B2C does not (yet) support SAML as identity provider (also e.g. answer on this question: Can I integrate a SAML application with Azure AD B2C?).
However, when I read the comparison between built-in policies and custom policies on the "Azure AD B2C Custom Policies" docs, I see that SAML is already supported today as an identity provider.
Also, I found this GitHub walk through: https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md
Following that walk through, I have an issue in step 5 "Upload Certs" of the first section "Create the SAML Token Issuer" while executing New-CpimCertificate.
I can successfully import the module ExploreAdmin.dll. However providing my credentials while calling New-CpimCertificate, I get this error on the console:
New-CpimCertificate : Unauthorized.
Access to this Api requires feature: 'Advanced' for the tenant: '<myazureb2ctenant>.onmicrosoft.com'.
Any help, thoughts, comments... are very welcome!
Azure AD B2C still does not officially support (even in preview) connecting with apps via SAML (aka being a SAML identity provider).
It only supports connecting to other identity providers via SAML (aka being a SAML relaying party).
The GitHub walk through you came across is an old walk through before the official launch of the Azure AD B2C Custom Policies preview. It talks about features that weren't included in the scope of the preview, such as B2C as a SAML IdP. It also references tools (those PowerShell scripts) and steps that are no longer applicable.
The mention of SAML in the Identity Providers section of the "Azure AD B2C Custom Policies" doc refers to supporting B2C being a relaying party that connects to a SAML Identity providers, not the other way around (where B2C is the SAML identity provider itself).
All that being said, you CAN make your scenario work, with the clear understanding that it's not supported.
You can use that GitHub document you've referenced, swapping out the steps that involve ExploreAdmin and New-CpimCertificate for these instructions that allow you to upload the certificate via the portal:
Go to your Azure AD B2C tenant. Click Settings > Identity Experience Framework > Policy Keys.
Click +Add, and then:
Click Options > Upload.
Enter a Name (for example, YourAppNameSamlCert). The prefix B2C_1A_ is automatically added to the name of your key.
To select your certificate, select upload file control.
Enter the certificate's password.
Click Create.
Verify that you've created a key (for example, B2C_1A_YourAppNameSamlCert).
Related
I have to use Azure Active Directory for authentication to my web application.
In my company it was suggested to use SAML instead of oauth and I am very new to SAML.
Question:
Is the purpose of SAML is only to authenticate or there is any more functionality?
There are documents to use SAML in enterprise application. So,How to implement saml from app registration?
SAML SSO is a form of delegated authentication. The user is authenticated at the identity provider site (eg Azure AD) which sends a SAML assertion containing user identity information to the service provider site. The service provider trusts this information and establishes a local authentication session for the user using the information contained in the SAML assertion. SAML assertions often contain the user's email address but any user identity information may be included. This is the primary use case for SAML and in many instances the only one supported.
Most platforms have SAML libraries etc available. It's strongly recommended you use one of these rather than trying to implement SAML yourself.
I am using Aure AD B2C to connect a .Net core application with Azure AD Enterprise application for authentication using SAML protocol. I am using custom policies to enable SAML.
I have used custom policies starter pack given in Microsoft Docs, and authentication is working properly with given name, surname, name, IDP as claims and I want so additional claims that my application is using.
I need DOB and MemberID as claims for my application and there was no option to add custom claims to the active directory where my enterprise application is.
I have another IDP setup in Okta and luckily I could add custom claims like DOB and MemberID to user profile in Okta but still I am unable to get those claims after authentication.
This is an Azure AD question.
The problem is that DoB etc. is not part of the schema.
If you are using Azure AD Connect and these attributes are in AD, you can use directory extensions to synch them up.
You can synch them up to extensionAttributes that are in the SAML drop-down.
Then add them as outputs in B2C.
If not, you can add extension attributes to Azure AD and use a custom policy REST API that calls Graph API (either directly or via Azure function) to get them.
Also refer this.
Azure AD B2B has a preconfigured Google integration and the ability add external Idp. Has any one configured it with Okta?.
Looking for guidance - What do we need from Okta to get the meta data etc.
Tried the Google B2b integration and it works. But stuck trying to create external SAML provider for integration with Okta. Are there any step by step guidance or instructions to get the info from Okta to enable this?
Here is the generic documentation on the preview feature. That is a starting point for your endeavor.
Using this documentation (and respective OKTA one - probably this one) you should be able to configure OKTA as a SAML IdP for Azure AD Direct Federation feature.
Important terms in that setup: OKTA will be the SAMP IdP (Identity Provider) while Azure AD will be SAML SP (Service Provider).
There is nothing more concrete about integrating OKTA as IdP for direct federation. Also please note that this feature is in preview in AAD.
Completely new to B2C. Tried both of these walkthroughs, but I'm missing something still:
https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md
http://blogs.quovantis.com/saml-based-sso-with-azure-ad-b2c-as-an-idp/
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still? The problem I have with app registration is that SalesForce gives me a token endpoint URL with a query string:
https://mycompany.cs79.my.salesforce.com/services/oauth2/token?so=00D1h000000Cnli
And B2C won't allow query strings in the reply URL.
Is there any way around this? Salesforce also supports OpenID I think, if that would be better?
::::::::::::UPDATE 6/22::::::::::
SAML:
I found and realized I was missing a critical step on the SalesForce side: adding the authentication provider to my domain's login page. Clicking the new link redirects me to B2C, but I get an immediate error from B2C. Application Insights shows the following exception:
The SAML technical profile 'serviceProviderMetadata' specifies a PartnerEntity URL of 'REMOVED', but fetching the metadata fails with reason 'For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.
OpenID:
Using this write-up as a guideline, I've registered the app in B2C and configured the SalesForce side.
Instead of using the Azure AD authorization endpoints, I pulled my B2C tenants endpoints from my meta data URL (login.microsoftonline.com/{tenant}/.well-known/openid-configuration).
This works for my B2C admin account, however, when I try try a test user that isn't a B2C admin I get the following error from the B2C sign-in page:
Sorry, but we’re having trouble signing you in.
AADSTS50020: User account 'REMOVED' from identity provider 'LINK REMOVED' does not exist in tenant 'MTB2CTest' and cannot access the application '5c8b9f4f-cf28-42fe-b629-b87251532970' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
::::::::::::UPDATE 6/23::::::::::
OpenID:
I’ve found that it works 100% only for my B2C admin account if I don’t use a policy, but doesn't work for other accounts. When I use a policy, only accounts that signed up through the policy can authenticate with B2C (which is great) – but the token doesn’t seem to be reaching SalesForce. I've created two PDFs showing the configuration details and the results from each method (policy and nopolicy) here.
Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still?
Not exactly, you no need to register an app at B2C side. All the configuration you do in Policies is enough.
Did you try Salesforce SAML SSO article https://help.salesforce.com/articleView?id=sso_saml.htm&type=5
Check the above article and try to do configurations at Salesforce side and grab the details required by SAML RP
I hope by following both SAML RP and Configure SAML Settings for Single Sign-On articles you can configure B2C as IDP for Salesforce.
I stumbled on this question while trying to implement Azure AD B2C as an IdP for Salesforce. We used Open ID Connect to enable SSO between the two. This involved setting up an Application in Azure AD B2C, enabling the read scope on that application, and configuring the connection in Salesforce using that application, a custom policy returning a JWT token, and a dummy User Info endpoint.
Check out this answer for exact steps on how we set up Open ID Connect: https://stackoverflow.com/a/61639332/13484109
I have configured Azure B2C as IDP via SAML successfully for a single Service Provider. There are many pieces that i don't understand in this setup even though its working.
I will describe what i have so far and then ask questions later.
Let's say I have two Service Providers,SP1/SP2 both require SAML and a page to signup/signin. SP1 requires loyality_id as custom attribute and SP2 requires product_name attribute.
Here's the source code that works.
Credit/Thanks to this blog
Below is the high level summary of the configuration.
SAML for SP1 (Service Provider 1):
Add signing and encryption keys to the B2C tenant
Register Identity Experience Framework applications
Create web app IdentityExperienceFramework in Azure Active Directory
Create native app ProxyIdentityExperienceFramework in Azure Active Directory
Start from starter pack for LocalAccounts as base
Add Saml2AssertionIssuer to the base policy
Add user journey SignInSaml to the base policy
In Extension Policy override "Local Account SignIn" claims provider and add substitute values for "client_id" and "IdTokenAudience" from apps that were created earlier
Policy file with RelyingParty for SP1
This describes the output claims that are added to the SAML response
Signup/signin policies for SP1:
Create built-in signup and sigin policy
Create Application in Azure B2C blade
So far with this setup, I have two Applications in Azure Active Directory for custom policies and one Application in Azure B2C blade for built-in policy.
According to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-create-custom-attributes-profile-edit-custom,
Extension properties can only be registered on an Application object
even though they may contain data for a User. The property is attached
to the application. The Application object must be granted write
access to register an extension property.
What is the "Application" the above paragraph is referring to?
What is the purpose of the apps IdentityExperienceFramework/ProxyIdentityExperienceFramework
To setup for SP2, do I need to create separate Azure Active directory apps for IdentityExperienceFramework/ProxyIdentityExperienceFramework? Or can I use the same ones? How do custom attributes factor in this?
How do I setup custom attributes in this case where SAML is through Custom policy and Signin/Signup is builtin policy
In this case, under what App context are the custom attributes created?
I appreciate any pointers.
Thanks
The application is the one created in the section "Creating a new application to store the extension properties".
The apps purpose is to enable sign-in using local accounts. The same apps can be used accross multiple policies.
Custom attributes are related to the application created in app registrations at Azure AD level, and with the permissions detailed in the configuration docs.
In my Github profile, you can find a different implementation of the B2C as SAML issuer scenario: https://github.com/marcelodiiorio/My-Azure-AD-B2C-use-cases.
Tell me if you have more questions.