AD FS is configured with custom policies as a claims provider on Azure AD B2C using SAML 2.0. The relying party on Azure AD B2C is using OpenID Connect.
AD FS issues a SAML 2.0 Assertion including role claims. If the roles are returned in two separate Attribute elements:
<saml:Attribute Name="http://test.com/claims/role">
<saml:AttributeValue>role1</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="http://test.com/claims/role">
<saml:AttributeValue>role2</saml:AttributeValue>
</saml:Attribute>
only the last claim is read by Azure AD B2C.
Otherwise if the roles is returned as AttributeValue elements in one Attribute element:
<saml:Attribute Name="http://test.com/claims/roles">
<saml:AttributeValue>role1</saml:AttributeValue>
<saml:AttributeValue>role2</saml:AttributeValue>
</saml:Attribute>
all the role value is read.
The Azure AD B2C role ClaimType used is:
<ClaimType Id="role">
<DisplayName>Role</DisplayName>
<DataType>string</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="role" />
<Protocol Name="OpenIdConnect" PartnerClaimType="role" />
<Protocol Name="SAML2" PartnerClaimType="http://test.com/claims/role" />
</DefaultPartnerClaimTypes>
<UserHelpText/>
</ClaimType>
<ClaimType Id="roles">
<DisplayName>Roles</DisplayName>
<DataType>stringCollection</DataType>
<DefaultPartnerClaimTypes>
<Protocol Name="OAuth2" PartnerClaimType="roles" />
<Protocol Name="OpenIdConnect" PartnerClaimType="roles" />
<Protocol Name="SAML2" PartnerClaimType="http://test.com/claims/roles" />
</DefaultPartnerClaimTypes>
<UserHelpText/>
</ClaimType>
SAML 2.0 support both sending multiple Attribute with the same name and one Attribute with a list of AttributeValue. Are there a way for Azure AD B2C to read multiple Attribute with the same name and not only the last one?
I solved the problem by adding a custom SAML 2.0 broker in between the AD FS and Azure AD B2C. The SAML 2.0 broker is a Relying Party (RP) on the AD FS and a Identity Provider (IdP) for Azure AD B2C. This way it is possible to convert the claims and issue a nye SAML 2.0 token with a claims structor supported by Azure AD B2C.
Both the RP and IdP part of the SAML 2.0 broker can be implemented with the ITfoxtec.Identity.Saml2 package.