Open in app

Sign in

Write

Sign in

Connecting Azure AD B2C as an SP to Entra ID via SAML

Rory Braybrook
The new control plane
Published in
3 min readApr 29, 2024

--

Image of federation
Federation image by Copilot Designer

I’ve written several “Connecting” posts over the years describing how to connect one IDP to another.

To explore the entire ‘Connecting’ series, simply follow my Authory link and enter “connecting” in the search box.

I’ve never written up this combination, and I was recently asked about it, hence the post.

Note: the usual way to do this is via OIDC, not SAML.

The docs. are here and here.

As usual, the custom policy is in a gist.

B2C side

As per the docs., you first need a B2C certificate:

New-SelfSignedCertificate `
    -KeyExportPolicy Exportable `
    -Subject "CN=yourappname.yourtenant.onmicrosoft.com" `
    -KeyAlgorithm RSA `
    -KeyLength 2048 `
    -KeyUsage DigitalSignature `
    -NotAfter (Get-Date).AddMonths(12) `
    -CertStoreLocation "Cert:\CurrentUser\My"

Then, upload this as a policy key. In the gist, it’s called “B2C_1A_SAMLMetadata”.

You also need to enter the Entra ID metadata in the custom policy.

<Item Key="PartnerEntity">https://login.microsoftonline.com/00...79/federationmetadata/2007-06/federationmetadata.xml</Item>

Then, upload the custom policy and test.

While developing this, I got these errors:

AADB2C90168: The HTTP-Redirect request does not contain the required 
parameter 'Signature' for a signed request.

and:

""Exception"": {
  ""Kind"": ""Handled"",
  ""HResult"": ""80131500"",
  ""Message"": ""The assertion has an invalid signature."",
  ""Data"": {
    ""IsPolicySpecificError"": false
}

These were fixed by adding the metadata:

<Protocol Name="SAML2"/>
     <Metadata>
      <Item Key="ResponsesSigned">false</Item>
      <Item Key="WantsSignedAssertions">false</Item>

Note: This is not secure. Use your own judgement. See below.

When you run the policy and authenticate, you are asked to enter some more user details:

Image of screen asking for given name and surname

and then you get the JWT.

Entra side

To configure this on the Entra side, first create an Enterprise Application.

Image showing links to users and groups and SSO

Assign the users you want to log in with when you federate.

The B2C SAML metadata is at:

https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_signup_signinSAMLMeta/samlp/metadata?idptp=Contoso-SAML2

Save the B2C metadata as a file and then upload it to setup the SSO.

Image showing link to upload metadata file

You should then be able to run the custom policy and federate.

If you want to have the SAML token signed, you can configure the options on the Entra ID side as per this post.

Image showing SAML signing certificate options

All good!

Entra Id
Azure Active Directory
Saml2
Federation
Azure Ad B2c

--

--

Rory Braybrook
The new control plane

Written by Rory Braybrook

685 Followers

NZ Microsoft Identity dude and MVP. Azure AD/B2C/ADFS/Auth0/identityserver. StackOverflow: https://bit.ly/2XU4yvJ Presentations: http://bit.ly/334ZPt5

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams