Issue when calling New-CpimCertificate for Azure AD B2C custom policy

0
votes

I'm trying to use Azure AD B2C as a SAML Identity Provider.

I am aware that several locations on the web state that B2C does not (yet) support SAML as identity provider (also e.g. answer on this question: Can I integrate a SAML application with Azure AD B2C?).

However, when I read the comparison between built-in policies and custom policies on the "Azure AD B2C Custom Policies" docs, I see that SAML is already supported today as an identity provider.

Also, I found this GitHub walk through: https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md

Following that walk through, I have an issue in step 5 "Upload Certs" of the first section "Create the SAML Token Issuer" while executing New-CpimCertificate.

I can successfully import the module ExploreAdmin.dll. However providing my credentials while calling New-CpimCertificate, I get this error on the console:

New-CpimCertificate : Unauthorized.
Access to this Api requires feature: 'Advanced' for the tenant: '<myazureb2ctenant>.onmicrosoft.com'.

Any help, thoughts, comments... are very welcome!

1
saml-2.0azure-ad-b2c

1 Answers

3
votes

Azure AD B2C still does not officially support (even in preview) connecting with apps via SAML (aka being a SAML identity provider).

It only supports connecting to other identity providers via SAML (aka being a SAML relaying party).

The GitHub walk through you came across is an old walk through before the official launch of the Azure AD B2C Custom Policies preview. It talks about features that weren't included in the scope of the preview, such as B2C as a SAML IdP. It also references tools (those PowerShell scripts) and steps that are no longer applicable.

The mention of SAML in the Identity Providers section of the "Azure AD B2C Custom Policies" doc refers to supporting B2C being a relaying party that connects to a SAML Identity providers, not the other way around (where B2C is the SAML identity provider itself).

All that being said, you CAN make your scenario work, with the clear understanding that it's not supported.

You can use that GitHub document you've referenced, swapping out the steps that involve ExploreAdmin and New-CpimCertificate for these instructions that allow you to upload the certificate via the portal:

  1. Go to your Azure AD B2C tenant. Click Settings > Identity Experience Framework > Policy Keys.
  2. Click +Add, and then:
    1. Click Options > Upload.
    2. Enter a Name (for example, YourAppNameSamlCert). The prefix B2C_1A_ is automatically added to the name of your key.
    3. To select your certificate, select upload file control.
    4. Enter the certificate's password.
  3. Click Create.
  4. Verify that you've created a key (for example, B2C_1A_YourAppNameSamlCert).