B2C SAML Authentication Integration Error.

I've followed the steps from https://docs.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy

While testing receiiving the error "Application registered corresponding to IssuerUri "">https://xyz.com/suite" in AuthRequest does not have assertion consumer service URL "">xyz.com/.../AssertionConsumer" specified in its metadata.</samlp:StatusMessage>"

SAML Request:

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="">xyz.com/.../AssertionConsumer"
Destination="https://<tenantname>.b2clogin.com/<tenantname>.onmicrosoft.com/B2C_1A_signup_signin/samlp/sso/login"
ID="_39d15c6a-1234-4d48-9ea6-625375271234"
IssueInstant="2021-07-23T15:10:23.070Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="">https://xyz.com/suite"
Version="2.0"
>

SAML Response:

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="">www.w3.org/.../XMLSchema-instance"
ID="_a35d337b-dd47-4fdd-a0f1-9c40f97bda22"
InResponseTo="_39d15c6a-1234-4d48-9ea6-625375271234"
Version="2.0"
IssueInstant="2021-07-23T15:10:23.6766184Z"
Destination="">xyz.com/.../AssertionConsumer"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
>

MS document says: If you choose to configure the reply URL and logout URL in the application manifest without populating the application's metadata endpoint via the samlMetadataUrl property, Azure AD B2C will not validate the SAML request signature, nor will it encrypt the SAML response. 

Workaround could be,specifying the PartnerEntity in the SP metadata URL for the Relying Party in the B2C_1A_signup_signin_saml custom policy?

<Metadata>

<Item Key="PartnerEntity"><samltestapp2.azurewebsites.net/.../Item>

</Metadata>

Do I need to host the SP / Appian SAML metadata file on Azure Storage account OR some endpoint to refer from  Idp application registration manifest?

Thanks.

  Discussion posts and replies are publicly visible

Parents
  • Hi Karikalan,

    Could you please check in your Admin Console if in the Service Provider Entity ID option the URL is defined in this pattern https://xyx.appiancloud.com

    You should not include the /suite

    Regards,

    Acacio B.

  • Thanks Acacio, still receiving the same error without "Suite" on it.

    <samlp:StatusMessage>Application registered corresponding to IssuerUri "">https://xyz.com"
    in AuthRequest does not have assertion consumer service URL "https://xyz.com/suite/saml/AssertionConsumer" specified in its metadata.

    Just want to make sure my B2C IdentityExperienceFramework application registration JSON Manifest, IdentifierUris format is correct,
    "identifierUris": [
    "https://xyz.com/c3bcfc1c-1234-4a3b-96e6-db0933071234"
    ],

    Secondly, I'm not getting clearly what does this mean to do in TrustFrameworkExtensions.xml From MS Ref. doc: You can change the value of the IssuerUri metadata item in the SAML token issuer technical profile. This change will be reflected in the issuerUri attribute returned in the SAML response from Azure AD B2C. Your application should be configured to accept the same issuerUri during SAML response validation.

    <Metadata> <Item Key="IssuerUri">https://issuerUriMyAppExpects</Item> </Metadata> should be replaced as shown below?

    <Metadata>
    <Item Key="IssuerUri">xyz.com/.../Item>
    </Metadata>

Reply
  • Thanks Acacio, still receiving the same error without "Suite" on it.

    <samlp:StatusMessage>Application registered corresponding to IssuerUri "">https://xyz.com"
    in AuthRequest does not have assertion consumer service URL "https://xyz.com/suite/saml/AssertionConsumer" specified in its metadata.

    Just want to make sure my B2C IdentityExperienceFramework application registration JSON Manifest, IdentifierUris format is correct,
    "identifierUris": [
    "https://xyz.com/c3bcfc1c-1234-4a3b-96e6-db0933071234"
    ],

    Secondly, I'm not getting clearly what does this mean to do in TrustFrameworkExtensions.xml From MS Ref. doc: You can change the value of the IssuerUri metadata item in the SAML token issuer technical profile. This change will be reflected in the issuerUri attribute returned in the SAML response from Azure AD B2C. Your application should be configured to accept the same issuerUri during SAML response validation.

    <Metadata> <Item Key="IssuerUri">https://issuerUriMyAppExpects</Item> </Metadata> should be replaced as shown below?

    <Metadata>
    <Item Key="IssuerUri">xyz.com/.../Item>
    </Metadata>

Children