Search code examples
azure-ad-b2csaml-2.0itfoxtec-identity-saml2

Azure AD B2C OpenID Connect and SAML 2.0 read role claims

AD FS is configured with custom policies as a claims provider on Azure AD B2C using SAML 2.0. The relying party on Azure AD B2C is using OpenID Connect.

AD FS issues a SAML 2.0 Assertion including role claims. If the roles are returned in two separate Attribute elements:

<saml:Attribute Name="http://test.com/claims/role">
  <saml:AttributeValue>role1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://test.com/claims/role">
  <saml:AttributeValue>role2</saml:AttributeValue>
</saml:Attribute>

only the last claim is read by Azure AD B2C.

Otherwise if the roles is returned as AttributeValue elements in one Attribute element:

<saml:Attribute Name="http://test.com/claims/roles">
  <saml:AttributeValue>role1</saml:AttributeValue>
  <saml:AttributeValue>role2</saml:AttributeValue>
</saml:Attribute>

all the role value is read.

The Azure AD B2C role ClaimType used is:

<ClaimType Id="role">
  <DisplayName>Role</DisplayName>
  <DataType>string</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OAuth2" PartnerClaimType="role" />
    <Protocol Name="OpenIdConnect" PartnerClaimType="role" />
    <Protocol Name="SAML2" PartnerClaimType="http://test.com/claims/role" />
  </DefaultPartnerClaimTypes>
  <UserHelpText/>
</ClaimType> 

<ClaimType Id="roles">
  <DisplayName>Roles</DisplayName>
  <DataType>stringCollection</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OAuth2" PartnerClaimType="roles" />
    <Protocol Name="OpenIdConnect" PartnerClaimType="roles" />
    <Protocol Name="SAML2" PartnerClaimType="http://test.com/claims/roles" />
  </DefaultPartnerClaimTypes>
  <UserHelpText/>
</ClaimType>

SAML 2.0 support both sending multiple Attribute with the same name and one Attribute with a list of AttributeValue. Are there a way for Azure AD B2C to read multiple Attribute with the same name and not only the last one?

Solution

  • I solved the problem by adding a custom SAML 2.0 broker in between the AD FS and Azure AD B2C. The SAML 2.0 broker is a Relying Party (RP) on the AD FS and a Identity Provider (IdP) for Azure AD B2C. This way it is possible to convert the claims and issue a nye SAML 2.0 token with a claims structor supported by Azure AD B2C.

    Both the RP and IdP part of the SAML 2.0 broker can be implemented with the ITfoxtec.Identity.Saml2 package.