I've followed the steps from https://docs.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
While testing receiiving the error "Application registered corresponding to IssuerUri "">https://xyz.com/suite" in AuthRequest does not have assertion consumer service URL "">xyz.com/.../AssertionConsumer" specified in its metadata.</samlp:StatusMessage>"
SAML Request:
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="">xyz.com/.../AssertionConsumer" Destination="https://<tenantname>.b2clogin.com/<tenantname>.onmicrosoft.com/B2C_1A_signup_signin/samlp/sso/login" ID="_39d15c6a-1234-4d48-9ea6-625375271234" IssueInstant="2021-07-23T15:10:23.070Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="">https://xyz.com/suite" Version="2.0" >
SAML Response:
<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xsi="">www.w3.org/.../XMLSchema-instance" ID="_a35d337b-dd47-4fdd-a0f1-9c40f97bda22" InResponseTo="_39d15c6a-1234-4d48-9ea6-625375271234" Version="2.0" IssueInstant="2021-07-23T15:10:23.6766184Z" Destination="">xyz.com/.../AssertionConsumer" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" >
MS document says: If you choose to configure the reply URL and logout URL in the application manifest without populating the application's metadata endpoint via the samlMetadataUrl property, Azure AD B2C will not validate the SAML request signature, nor will it encrypt the SAML response.
samlMetadataUrl
Workaround could be,specifying the PartnerEntity in the SP metadata URL for the Relying Party in the B2C_1A_signup_signin_saml custom policy?
<Metadata>
<Item Key="PartnerEntity"><samltestapp2.azurewebsites.net/.../Item>
</Metadata>
Do I need to host the SP / Appian SAML metadata file on Azure Storage account OR some endpoint to refer from Idp application registration manifest?
Thanks.
Discussion posts and replies are publicly visible
Hi Karikalan,
Could you please check in your Admin Console if in the Service Provider Entity ID option the URL is defined in this pattern https://xyx.appiancloud.com
You should not include the /suite
Regards,
Acacio B.
Thanks Acacio, still receiving the same error without "Suite" on it.
<samlp:StatusMessage>Application registered corresponding to IssuerUri "">https://xyz.com" in AuthRequest does not have assertion consumer service URL "https://xyz.com/suite/saml/AssertionConsumer" specified in its metadata.
Just want to make sure my B2C IdentityExperienceFramework application registration JSON Manifest, IdentifierUris format is correct,"identifierUris": [ "https://xyz.com/c3bcfc1c-1234-4a3b-96e6-db0933071234" ],
Secondly, I'm not getting clearly what does this mean to do in TrustFrameworkExtensions.xml ? From MS Ref. doc: You can change the value of the IssuerUri metadata item in the SAML token issuer technical profile. This change will be reflected in the issuerUri attribute returned in the SAML response from Azure AD B2C. Your application should be configured to accept the same issuerUri during SAML response validation.
TrustFrameworkExtensions.xml
<Metadata> <Item Key="IssuerUri">https://issuerUriMyAppExpects</Item> </Metadata> should be replaced as shown below?
<Metadata> <Item Key="IssuerUri">xyz.com/.../Item> </Metadata>
You can try to have a look in this link, perhaps this can help you to double check your configurations on the Azure side:
https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/appian-tutorial#next-steps
When I got a similar error was because of the Reply URL that was not saved:
But following the steps provided on the link solved my case.
Hope that also help you.
A.
Thanks Acacio, that issue has been resolved by changing to issuer id as suggested in the forum https://stackoverflow.com/questions/65710654/mendix-and-azure-ad-b2c-authrequest-does-not-have-assertion-consumer-service-url
However, SP sign-in page now displaying an error "The username or password provided in the request are invalid". Though username and password are correct not sure why I get this error...In B2B, I used to assign the user access to registered app whereas in B2C I don't see any such option, I was wondering how system will recognize B2C local account user has access privilege to the application?
"identifierUris": [ "https://xyz.com" ],
Quick question,
Is your Authentication Method set to None?
Thanks Acacio, yes. It's set to None.
Also I can we dont need to assign user like B2B as shown below, SAML tracer only shows the Request not Response. I've tried registering the application both B2C Service plade and B2C Tenant AAD blade still receiving the same invalid user /pwd error. Same account has been created in B2C and Appian too. It looks more common error as discussed on docs.microsoft.com/.../unable-to-sign-on-using-custom-policy.html
"The username or password provided in the request are invalid" - This issue has been resolved by granting "IdentityExperienceFramework" (User_impersonation - Delegated Type) API permission. I could not see this solution on MS documents guidance, however this has resolved my issue. thanks.
That is a good tip, can you could you please change the status of the thread to answered so it can help more people in the future?
Regards
Acacio B
Done, thanks Acacio.