I am attempting a proof of concept to integrate a SAML identity provider into an Azure AD B2C tenant, through which my application will be able to access via OIDC. For this, I am using Auth0.com as the IDP, for which I've created an account, application, and configured a single user whilst enabling the SAML2 add-on against the application.
I've created a custom policy, below is the ClaimsProvider definition, sensitive data masked.
<ClaimsProvider>
<Domain>auth0.com</Domain>
<DisplayName>Mock SAML</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="MockSaml-SAML2">
<DisplayName>Mock SAML2</DisplayName>
<Protocol Name="SAML2" />
<Metadata>
<Item Key="PartnerEntity">https://dev-*********.us.auth0.com/samlp/metadata/******</Item>
</Metadata>
<CryptographicKeys>
<Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SAMLSigningCert"/>
<Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSigningCert"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="assertionSubjectName" />
<OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="first_name" />
<OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="last_name" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="http://schemas.microsoft.com/identity/claims/displayname" />
<OutputClaim ClaimTypeReferenceId="email" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="auth0.com" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
The orchestration is an exact clone of "SignUpOrSignIn" but renamed, and references the MockSaml-SAML2 technical profile. The certificate loaded into AD B2C is a self-signed certificate. Do I need to put this certificate into Auth0, or does the certificate from Auth0 need to come into B2C in some way?
I've followed the steps from the Microsoft tutorial for integrating SAML IDPs - https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy - but unfortunately when running the policy through B2C with the redirect URL set to jwt.ms, the URL does not contain a token, but instead error=server_error&error_description=AADB2C An exception has occurred.. The audit log within B2C gives absolutely no detail.
I've spent way too long on this already, if anybody has any ideas of other avenues to explore, or even a step-by-step guide to integrate Auth0 as a SAML IDP with AD B2C then that'd be greatly appreciated!
This link is also useful.
Essentially, you set up the cert. on the B2C side and send the metadata to Auth0 and import it on that side. The metadata contains all the cert. info.
Of the form:
Get the Auth0 metadata and put it here:
<Metadata>
<Item Key="PartnerEntity">https://your-AD-FS-domain/federationmetadata/2007-06/federationmetadata.xml</Item>
</Metadata>
as per the docs.
Are you using AppInsights for the log?