Azure AD B2C OpenID Connect and SAML 2.0 read role claims

Question

AD FS is configured with custom policies as a claims provider on Azure AD B2C using SAML 2.0. The relying party on Azure AD B2C is using OpenID Connect.

AD FS issues a SAML 2.0 Assertion including role claims. If the roles are returned in two separate Attribute elements:

<saml:Attribute Name="http://test.com/claims/role">
  <saml:AttributeValue>role1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://test.com/claims/role">
  <saml:AttributeValue>role2</saml:AttributeValue>
</saml:Attribute>

only the last claim is read by Azure AD B2C.

Otherwise if the roles is returned as AttributeValue elements in one Attribute element:

<saml:Attribute Name="http://test.com/claims/roles">
  <saml:AttributeValue>role1</saml:AttributeValue>
  <saml:AttributeValue>role2</saml:AttributeValue>
</saml:Attribute>

all the role value is read.

The Azure AD B2C role ClaimType used is:

<ClaimType Id="role">
  <DisplayName>Role</DisplayName>
  <DataType>string</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OAuth2" PartnerClaimType="role" />
    <Protocol Name="OpenIdConnect" PartnerClaimType="role" />
    <Protocol Name="SAML2" PartnerClaimType="http://test.com/claims/role" />
  </DefaultPartnerClaimTypes>
  <UserHelpText/>
</ClaimType> 

<ClaimType Id="roles">
  <DisplayName>Roles</DisplayName>
  <DataType>stringCollection</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OAuth2" PartnerClaimType="roles" />
    <Protocol Name="OpenIdConnect" PartnerClaimType="roles" />
    <Protocol Name="SAML2" PartnerClaimType="http://test.com/claims/roles" />
  </DefaultPartnerClaimTypes>
  <UserHelpText/>
</ClaimType>

SAML 2.0 support both sending multiple Attribute with the same name and one Attribute with a list of AttributeValue. Are there a way for Azure AD B2C to read multiple Attribute with the same name and not only the last one?

score 0 · Accepted Answer · answered Nov 20 '18 at 17:01

I solved the problem by adding a custom SAML 2.0 broker in between the AD FS and Azure AD B2C. The SAML 2.0 broker is a Relying Party (RP) on the AD FS and a Identity Provider (IdP) for Azure AD B2C. This way it is possible to convert the claims and issue a nye SAML 2.0 token with a claims structor supported by Azure AD B2C.

Both the RP and IdP part of the SAML 2.0 broker can be implemented with the ITfoxtec.Identity.Saml2 package.

Azure AD B2C OpenID Connect and SAML 2.0 read role claims

1 Answers1