4

I'm attempting to use B2C Custom Policies to configure B2C as my SAML Idp. As a test I've set up our on premise ADFS environment as the SAML RP which seems to be required in order for the B2C logon page to work (B2C SAML doesnt support an Idp initiated session).

I've been following the guides at https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom and https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md to set up my B2C environment.

I get as far as showing the B2C sign-in page that the end-user receives however after I enter the credentials of an account into the B2C sign-in page I get redirected back to my RP with a SAML token however it is not parsing any of the configured claims. The SAML token is showing the following error:

<samlp:Status> 
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
     <samlp:StatusMessage>Id:410906d7-639d-4828-b28d-22f84dfa617b ; Message: Policy &apos;B2C_1A_signup_signin_saml' in tenant ' mytenant.onmicrosoft.com'' specifies the claim 'sub' for the SubjectNamingInfo, but the claim is either not present or is null.</samlp:StatusMessage> 
<IsPolicySpecificError>true</IsPolicySpecificError> 
</samlp:Status>

My SignUpOrSigninSaml.xml RP config is as follows:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignUpOrSignInSaml"/>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="SAML2" />
        <Metadata>
          <Item Key="PartnerEntity">https://adfs-test.mycorporation.com.au/FederationMetadata/2007-06/FederationMetadata.xml</Item>
          <Item Key="KeyEncryptionMethod">Rsa15</Item>
          <Item Key="DataEncryptionMethod">Aes256</Item>
          <Item Key="XmlSignatureAlgorithm">Sha256</Item>
        </Metadata>

    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="displayName" />
      <OutputClaim ClaimTypeReferenceId="givenName" />
      <OutputClaim ClaimTypeReferenceId="surname" />
    </OutputClaims>
    <!-- The ClaimType in the SubjectNamingInfo element below is a reference to the name of the claim added to the claims bag used by the token minting process.
    This name is determined in the following order. If no PartnerClaimType is specified on the output claim above, then the DefaultPartnerClaimType for the protocol specified in the claims schema if one exists is used, otherwise the ClaimTypeReferenceId in the output claim is used.

    For the SubjectNamingInfo below we use the DefaultPartnerClaimType of http://schemas.microsoft.com/identity/claims/objectidentifier, since the output claim does not specify a PartnerClaimType. -->
    <!-- <SubjectNamingInfo ClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ExcludeAsClaim="true"/> -->
    <SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>

I've tried a few different configurations for the "SubjectNamingInfo" such as:

<SubjectNamingInfo ClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ExcludeAsClaim="true"/>

<SubjectNamingInfo ClaimType="sub" />

<SubjectNamingInfo ClaimType="name" />

But they all produce the same error.

I believe that once the SubjectNamingInfo issue is sorted the configured OutputClaims will show.

Anyone know how I can resolve this so I am able to see the claims of my user account in the token?

---Edit---

I attempted to add "sub" as an output claim however due to it not being defined in the Base file B2C wont allow it. Alternatively I tried changing the subject naming info to a claim that is already defined as an Output claim

<SubjectNamingInfo ClaimType="givenName" />

However I still seem to get the same error:

<samlp:Status> 
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /> 
<samlp:StatusMessage>Id:a3fe7ab0-4483-45b6-93f8-e75b539a3aea ; Message: The relying party technical profile of policy &apos;mytenant.onmicrosoft.com' in tenant 'B2C_1A_signup_signin_saml' specifies the claim type 'givenName' as the subject naming info claim, but the claim is not present or is null.</samlp:StatusMessage> 
<IsPolicySpecificError>true</IsPolicySpecificError>
Brady
  • 117
  • 1
  • 10
  • Are you setting a value for the subject claim in any of the steps you execute as part of this journey? – nyoung Apr 05 '18 at 11:02
  • @nyoung I've tried setting the subject claim to givenName knowing that it should be set during the user journey. Receiving same error – Brady Apr 06 '18 at 04:07

1 Answers1

6

It isn't common to use the sub claim as the <saml:Subject><saml:NameID> element for a SAML assertion.

It is recommended to use the objectId claim as follows.

1) Ensure the objectId claim is declared with a partner claim for the SAML2 protocol:

<ClaimType Id="objectId">
  <DisplayName>Object Identifier</DisplayName>
  <DataType>string</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OAuth2" PartnerClaimType="oid" />
    <Protocol Name="OpenIdConnect" PartnerClaimType="oid" />
    <Protocol Name="SAML2" PartnerClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" />
  </DefaultPartnerClaimTypes>
</ClaimType>

2) Add the objectId claim to the <OutputClaims /> collection for the relying party technical profile and set the SubjectNamingInfo element:

<RelyingParty>
  <TechnicalProfile Id="PolicyProfile">
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="objectId" />
      <OutputClaim ClaimTypeReferenceId="displayName" />
      <OutputClaim ClaimTypeReferenceId="givenName" />
      <OutputClaim ClaimTypeReferenceId="surname" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ExcludeAsClaim="true"/>
  </TechnicalProfile>
</RelyingParty>

More information about SubjectNamingInfo

The ClaimType attribute for the SubjectNamingInfo element references a claim type that must be declared as an output claim for the technical profile.

This claim type is referenced by name with the following precedence:

1) If the PartnerClaimType attribute for the OutputClaim element is specified, then the ClaimType attribute for the SubjectNamingInfo element must be set to the ClaimTypeReferenceId attribute for this OutputClaim element:

<RelyingParty>
  <TechnicalProfile Id="PolicyProfile">
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" />
      ...
    </OutputClaims>
    <SubjectNamingInfo ClaimType="objectId" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ExcludeAsClaim="true"/>
  </TechnicalProfile>
</RelyingParty>

2) If the PartnerClaimType attribute for the OutputClaim element is not specified, then the ClaimType attribute for the SubjectNamingInfo element must be set to the DefaultPartnerClaimType attribute for the ClaimType element that is referenced by the ClaimTypeReferenceId attribute for this OutputClaim element:

<ClaimType Id="objectId">
  <DefaultPartnerClaimTypes>
    <Protocol Name="SAML2" PartnerClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" />
  </DefaultPartnerClaimTypes>
</ClaimType>

<RelyingParty>
  <TechnicalProfile Id="PolicyProfile">
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="objectId" />
      ...
    </OutputClaims>
    <SubjectNamingInfo ClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ExcludeAsClaim="true"/>
  </TechnicalProfile>
</RelyingParty>
Chris Padgett
  • 14,186
  • 1
  • 15
  • 28
  • I tried changing the SubjectNamingInfo to "givenName" knowing it is configured as an Output claim however still producing the same error unfortunately. I've updated my post with the error. – Brady Apr 06 '18 at 01:12
  • Hi @Brady I've updated the above answer with more information about setting the `SubjectNamingInfo` element. – Chris Padgett Apr 07 '18 at 01:11
  • Hey @Chris Padgett. Thanks for the detailed information however it is still producing the same error: I suspect that the issue is related to the fact that this feature in B2C is still in public preview however I'm happy to send you my Base, Extensions and RP .xml files if you want to try them yourself? Alternatively if you have this working in your B2C tenancy I could give your configuration files a shot? (with the sensitive information in the files removed of course :) ) – Brady Apr 11 '18 at 06:41
  • Hi @Brady [An example policy](https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/wingtipgamesb2c/Policies/b2ctechready.onmicrosoft.com_B2C_1A_sign_in_billing.xml) can be found in the Wingtip sample. It invokes [a sign-in user journey](https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/89b0c2e3f78605521e16d443a160fdbb0e5acca9/wingtipgamesb2c/Policies/b2ctechready.onmicrosoft.com_B2C_1A_base.xml#L3895) that issues a SAML token using the `userPrincipalName` claim for the `SubjectNamingInfo` element. – Chris Padgett Apr 11 '18 at 10:56
  • Hi @Brady Have you added the "SM-Saml" technical profile and then specified it as `` for the "Saml2AssertionIssuer" technical profile? If so and if you remove it as the session management technical profile, does the SAML policy successfully complete? – Chris Padgett Apr 18 '18 at 05:32
  • @Chirs Padgett - you legend!! removing the sorted the issue out. I can now see the claims passing as they should!. Thanks so much. This has been driving me nuts. – Brady Apr 20 '18 at 08:30
  • Sorry. Mispelt @Chris Padgett. – Brady Apr 23 '18 at 11:54
  • @ChrisPadgett I'm very curious, why would removing that SM-Saml technical profile help? And what are the implications of doing so? – Lars Kemmann Jun 26 '20 at 20:32
  • 1
    Hi @LarsKemmann I believe the `RP-SAML` example was out-of-date at time of writing. It is recommended that the SAML token issuer technical profile does refer to a SAML SSO session provider technical profile so that a SSO session is used between Azure AD B2C and a relying party application. For more information, see [here](https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-issuer-technical-profile#session-management). – Chris Padgett Aug 09 '20 at 08:48