Azure B2C IDP SAML for multiple service providers

1
votes

I have configured Azure B2C as IDP via SAML successfully for a single Service Provider. There are many pieces that i don't understand in this setup even though its working. I will describe what i have so far and then ask questions later.

Let's say I have two Service Providers,SP1/SP2 both require SAML and a page to signup/signin. SP1 requires loyality_id as custom attribute and SP2 requires product_name attribute.

Here's the source code that works. Credit/Thanks to this blog

Below is the high level summary of the configuration.

SAML for SP1 (Service Provider 1):

  • Add signing and encryption keys to the B2C tenant
  • Register Identity Experience Framework applications
    • Create web app IdentityExperienceFramework in Azure Active Directory
    • Create native app ProxyIdentityExperienceFramework in Azure Active Directory
  • Start from starter pack for LocalAccounts as base
  • Add Saml2AssertionIssuer to the base policy
  • Add user journey SignInSaml to the base policy
  • In Extension Policy override "Local Account SignIn" claims provider and add substitute values for "client_id" and "IdTokenAudience" from apps that were created earlier
  • Policy file with RelyingParty for SP1
    • This describes the output claims that are added to the SAML response

Signup/signin policies for SP1:

  • Create built-in signup and sigin policy
  • Create Application in Azure B2C blade

So far with this setup, I have two Applications in Azure Active Directory for custom policies and one Application in Azure B2C blade for built-in policy.

According to https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-create-custom-attributes-profile-edit-custom,

Extension properties can only be registered on an Application object even though they may contain data for a User. The property is attached to the application. The Application object must be granted write access to register an extension property.

  • What is the "Application" the above paragraph is referring to?
  • What is the purpose of the apps IdentityExperienceFramework/ProxyIdentityExperienceFramework
  • To setup for SP2, do I need to create separate Azure Active directory apps for IdentityExperienceFramework/ProxyIdentityExperienceFramework? Or can I use the same ones? How do custom attributes factor in this?
  • How do I setup custom attributes in this case where SAML is through Custom policy and Signin/Signup is builtin policy
  • In this case, under what App context are the custom attributes created?

I appreciate any pointers.

Thanks

1
saml-2.0azure-ad-b2c
Just a comment: Azure B2C custom policies configuration is a HELL. I worked with B2C and ADFS as Id and managed it only with many days support help from Microsoft.Michael Chudinov

1 Answers

1
votes

The application is the one created in the section "Creating a new application to store the extension properties".

The apps purpose is to enable sign-in using local accounts. The same apps can be used accross multiple policies.

Custom attributes are related to the application created in app registrations at Azure AD level, and with the permissions detailed in the configuration docs.

In my Github profile, you can find a different implementation of the B2C as SAML issuer scenario: https://github.com/marcelodiiorio/My-Azure-AD-B2C-use-cases.

Tell me if you have more questions.