Is iDP initiated SSO supported with a custom SAML iDP in Azure AD B2C?

2
votes

I am working on adding a custom SAML 2.0 identity provider (Okta) to use with my B2C tenant. I have configured it and it works great when I initiate the login from my application. However, when I initiate the login from the identity provider (Okta) it fails to login. The first attempt I received this error from B2C: "does not specify first step or the first step is not a claims exchange". As a result of this error, I removed the extra claims providers from the custom policy so the ClaimsExchange was the first journey step and then I received this error, "Specified method is not supported.".

Is this scenario supported? If so, what changes to the custom policies need to be done to support it?

1
saml-2.0azure-ad-b2c
I cannot find any samples for this but Azure Feedback seems to suggest that it's supported. I will check with the product team and get back to you.Marilee Turscak - MSFT

1 Answers

0
votes

Looking at the documentation it is possible:

There is metadata that you will have to specify:

  • IdpInitiatedProfileEnabled:

Indicates whether a single sign-on session profile is enabled that was initiated by a SAML identity provider profile. Possible values: true or false. The default is false. In the flow initiated by the identity provider, the user is authenticated externally and an unsolicited response is sent to Azure AD B2C, which then consumes the token, executes orchestration steps, and then sends a response to the relying party application.