Connecting Azure AD B2C as an SP to Entra ID via SAML
I’ve written several “Connecting” posts over the years describing how to connect one IDP to another.
To explore the entire ‘Connecting’ series, simply follow my Authory link and enter “connecting” in the search box.
I’ve never written up this combination, and I was recently asked about it, hence the post.
Note: the usual way to do this is via OIDC, not SAML.
As usual, the custom policy is in a gist.
B2C side
As per the docs., you first need a B2C certificate:
New-SelfSignedCertificate `
-KeyExportPolicy Exportable `
-Subject "CN=yourappname.yourtenant.onmicrosoft.com" `
-KeyAlgorithm RSA `
-KeyLength 2048 `
-KeyUsage DigitalSignature `
-NotAfter (Get-Date).AddMonths(12) `
-CertStoreLocation "Cert:\CurrentUser\My"
Then, upload this as a policy key. In the gist, it’s called “B2C_1A_SAMLMetadata”.
You also need to enter the Entra ID metadata in the custom policy.
<Item Key="PartnerEntity">https://login.microsoftonline.com/00...79/federationmetadata/2007-06/federationmetadata.xml</Item>
Then, upload the custom policy and test.
While developing this, I got these errors:
AADB2C90168: The HTTP-Redirect request does not contain the required
parameter 'Signature' for a signed request.
and:
""Exception"": {
""Kind"": ""Handled"",
""HResult"": ""80131500"",
""Message"": ""The assertion has an invalid signature."",
""Data"": {
""IsPolicySpecificError"": false
}
These were fixed by adding the metadata:
<Protocol Name="SAML2"/>
<Metadata>
<Item Key="ResponsesSigned">false</Item>
<Item Key="WantsSignedAssertions">false</Item>
Note: This is not secure. Use your own judgement. See below.
When you run the policy and authenticate, you are asked to enter some more user details:
and then you get the JWT.
Entra side
To configure this on the Entra side, first create an Enterprise Application.
Assign the users you want to log in with when you federate.
The B2C SAML metadata is at:
https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_signup_signinSAMLMeta/samlp/metadata?idptp=Contoso-SAML2
Save the B2C metadata as a file and then upload it to setup the SSO.
You should then be able to run the custom policy and federate.
If you want to have the SAML token signed, you can configure the options on the Entra ID side as per this post.
All good!