Can Azure AD B2C send extension attributes without the extension prefix on a SAML token in a SAML IdP-initiated SSO flow?

Question

We are migrating to Azure AD B2C, and we have some IdP-initiated SSO flows with federated third parties that we need to send SAML tokens to.
There are some SAML attributes where we get the value from a B2C API connector to augment the token.
From what I have read, B2C will prefix these SAML attributes on the token with extension_.
We're already doing SSO with several third parties, and they all have a standardized set of attribute names that they except on the token. So, it will be extra work for them if they need to code a special case for us where we send the SAML attributes with an extension_ prefix.
Is it possible to add those extension attributes to the SAML token without the extension_ prefix?

score 1 · Accepted Answer · answered Jan 26 '22 at 21:22

B2C does not automatically make extension attributes, you have to define them.

In terms of SAML claims, you have this option:

<ClaimType Id="groups">
    <DisplayName>Groups</DisplayName>
    <DataType>string</DataType>
    <DefaultPartnerClaimTypes>
        <Protocol Name="SAML2" PartnerClaimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"/>
        <Protocol Name="OpenIdConnect" PartnerClaimType="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"/>
    </DefaultPartnerClaimTypes>
</ClaimType>

or you can do this in the RP:

<OutputClaim ClaimTypeReferenceId="extension_companyname" PartnerClaimType="companyname"/>

Can Azure AD B2C send extension attributes without the extension prefix on a SAML token in a SAML IdP-initiated SSO flow?

1 Answers1