'B2C as SAML IDP can no longer be set up after breaking change to identifierUris

I am currently implementing SAML sign in for our B2C tenants based on the documentation. I already did this a couple of weeks ago as a proof of concept. However, the recent breaking change now prevents me from implementing the solution.

I now get this error when I try to set up the identifierUris.

Failed to update B2C-SamlSignIn application. Error detail: Values of IdentifierUris property must use a verified domain of the organization or its subdomain:

In my working proof of concept, I had a identifierUrl which does not fit into the new requirements for the domain. Without it, the solution is no longer working with the external application I am trying to connect. I get a redirect loop when I initiate login. The loop indicates that the removed identifierUri is the issue:

<samlp:StatusMessage>Application registered corresponding to IssuerUri https://someotherdomain/somethingspecific in AuthRequest does not have assertion consumer service URL https://someotherdomain/somethingspecific/broker/saml/endpoint specified in its metadata.</samlp:StatusMessage><samlp:StatusDetail>

https://someotherdomain/somethingspecific is the value I had set up before. I cannot change the entityId in the other application.

Is there a way to get it working again? I tried creating a new application which has "Accounts in any identity provider or organizational directory (for authenticating users with user flows)", but the same restrictions seem to apply there.

azure-active-directoryazure-ad-b2csamlazure-ad-b2c-custom-policyidentity-experience-framework


Solution 1:[1]

@doodlleus - For me it still works, but only if i choose the correct "Support type". When creating the app, select e.g.

Accounts in this organizational directory only (... - Single tenant)

Once created, the manifest will have the "accessTokenAcceptedVersion" attribute set to "null", which i changed to "2" and then i could set "identifierUris"

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Logging into SAML/Shibboleth authenticated server using python

Configuring Oracle APEX to use SAML authentication

SAML response and assertion is signed/unsigned?

Why is Cognito rejecting my SAML assertion?

Howto disable signature verification in Spring Security SAML 5.6.1?

InResponseToField error after Spring Session upgrade

How to change outgoing claims for SAML based SSO in Azure AD?

Sustainsys.Saml2 - Saml2/Acs endpoint returns Error 500 when processing SSO

How to get metadata xml for SAML IdP initiated SSO

AADSTS75011 Authentication method by which the user authenticated with the service doesn't match requested authentication method AuthnContextClassRef

Get expiration date of signing certificate(s) within a SAML metadata file

Shibboleth IDP with ADB2C integration

How can I diagnose the cause of AWS Cognito's SAML assertion processing errors?

Synapse external table "Unauthorized"

How to redirect from VB.NET legacy web application login page to azure portal to validate azure ad with MFA