'How to Claims mapping in AD B2C custom policy when using SAML IDP

I'm trying to add an SAML IDP to AD B2C using custom policy, did all setup and B2C redirecting me to IDP's login page. But now I'm confused with the claims mapping step. I'm following the below article,

Set up sign-up and sign-in with SAML identity provider using Azure Active Directory B2C

This is one showing the attributes sent by the IDP. My technical profile is added below:

<TechnicalProfiles>
    <TechnicalProfile Id="Contoso-SAML2">
      <DisplayName>Saml Test</DisplayName>
      <Description>Login with your SAML identity provider account</Description>
      <Protocol Name="SAML2"/>
      <Metadata>
        <Item Key="PartnerEntity"> https://samltest.id/saml/idp</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSigningCert"/>
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="uid" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="sn" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="displayName" />
        <OutputClaim ClaimTypeReferenceId="email"  PartnerClaimType="mail"/>
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="samltest.id" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp"/>
    </TechnicalProfile>

After completing the sign in I'm getting below error:

AADB2C: A claim with id 'issuerUserId' was not found, which is required by ClaimsTransformation 'CreateAlternativeSecurityId' with id 'CreateAlternativeSecurityId' in policy 'B2C_1A_signup_signin'

I believe this is because, I haven't done the claims mapping. How can I resolve this?

azure-ad-b2cazure-ad-b2c-custom-policy


Solution 1:[1]

The issue solved with the help of Jas Suri - MSFT's comment. Below was my SAML response,

<saml:Assertion xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="_134d0c388282ca18031a7d00efffa0fc" Version="2.0" IssueInstant="2022-04-29T08:34:35.635Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml:Issuer>https://samltest.id/saml/idp</saml:Issuer>
  <saml:Subject>
    <saml:NameID NameQualifier="https://samltest.id/saml/idp" SPNameQualifier="https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">V3QCBLSO2CHF47EMELCG23VN73FLI6ZY</saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData NotOnOrAfter="2022-04-29T08:39:35.646Z" Recipient="https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer" InResponseTo="_c6e2e6b1-518f-4837-9e3e-8e7a0fd6d857" Address="157.46.147.227" />
    </saml:SubjectConfirmation>
  </saml:Subject>
  <saml:Conditions NotBefore="2022-04-29T08:34:35.635Z" NotOnOrAfter="2022-04-29T08:39:35.635Z">
    <saml:AudienceRestriction>
      <saml:Audience>https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/B2C_1A_TrustFrameworkBase</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>
  <saml:AuthnStatement SessionIndex="_ac852acc6d8309dfb667e66ddf371620" AuthnInstant="2022-04-29T08:33:50.718Z">
    <saml:SubjectLocality Address="157.46.147.227" />
    <saml:AuthnContext>
      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
    </saml:AuthnContext>
  </saml:AuthnStatement>
  <saml:AttributeStatement>
    <saml:Attribute Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="eduPersonEntitlement">
      <saml:AttributeValue>urn:mace:dir:entitlement:common-lib-terms</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="uid">
      <saml:AttributeValue>rick</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:oasis:names:tc:SAML:attribute:subject-id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml:AttributeValue xsi:type="xsd:string">[email protected]</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:oid:2.5.4.20" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="telephoneNumber">
      <saml:AttributeValue>+1-555-555-5515</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="https://samltest.id/attributes/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="role">
      <saml:AttributeValue xsi:type="xsd:string">[email protected]</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:oid:0.9.2342.19200300.100.1.3" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="mail">
      <saml:AttributeValue>[email protected]</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:oid:2.5.4.4" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="sn">
      <saml:AttributeValue>Sanchez</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:oid:2.16.840.1.113730.3.1.241" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="displayName">
      <saml:AttributeValue>Rick Sanchez</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="urn:oid:2.5.4.42" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="givenName">
      <saml:AttributeValue>Rick</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

I used the friendly name for the PartnerClaimtype in my custom policy technical profile instead of name. I changed the technical profile as below and it worked perfectly.

    <TechnicalProfile Id="Contoso-SAML2">
      <DisplayName>Saml Test</DisplayName>
      <Description>Login with your SAML identity provider account</Description>
      <Protocol Name="SAML2"/>
      <Metadata>
        <Item Key="PartnerEntity"> https://samltest.id/saml/idp</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSigningCert"/>
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="urn:oid:0.9.2342.19200300.100.1.1" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="urn:oid:2.5.4.42" />
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="urn:oid:2.5.4.4" />
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="urn:oid:2.16.840.1.113730.3.1.241" />
        <OutputClaim ClaimTypeReferenceId="email"  PartnerClaimType="urn:oid:0.9.2342.19200300.100.1.3"/>
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="samltest.id" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp"/>
    </TechnicalProfile>

Thanks Jas Suri.

Solution 2:[2]

• As per the error that you are encountering, your <ClaimsProvider> is missing the ‘socialIdpUserId’ claim. This is because either the <OutputClaim> entry which has a ClaimTypeReferenceId="socialIdPUserId" is missing or it's mapped to a PartnerClaimType that your SAML IdP isn't providing. Thus, from the documentation link that you are referencing below, I would suggest you use the below modified ‘Technical Profile’ element in your custom policy: -

https://docs.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-saml?tabs=windows&pivots=b2c-custom-policy#map-the-claims

<TechnicalProfiles>
<TechnicalProfile Id="Contoso-SAML2">
  <DisplayName>Saml Test</DisplayName>
  <Description>Login with your SAML identity provider account</Description>
  <Protocol Name="SAML2"/>
  <Metadata>
    <Item Key="PartnerEntity"> https://samltest.id/saml/idp</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSigningCert"/>
  </CryptographicKeys>
  <OutputClaims>
    <OutputClaim ClaimTypeReferenceId="socialIdpUserId" PartnerClaimType="userId"/>
    <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
    <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="sn" />
    <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="displayName" />
    <OutputClaim ClaimTypeReferenceId="email"  PartnerClaimType="mail"/>
    <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="samltest.id" />
    <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
  </OutputClaims>
  <OutputClaimsTransformations>
    <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
    <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
    <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
    <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
  </OutputClaimsTransformations>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp"/>
</TechnicalProfile>

The above changes in the technical profile of your custom policy should help you resolve your error.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Alex
Solution 2 KartikBhiwapurkar-MT

Related Questions

Pass parameters to Sign-up policy

Pass parameters to Sign-up policy

Azure AD B2C with React Native Expo

Is it possible to automatically update B2C user details by using claims from the Issuer, using Identity Experience Framework?

Can I use SVG within a customized the Azure AD B2C user interface?

Azure B2C password field text and placeholder

Looking up users in AAD B2C using extension attributes or unusual standard attributes

Azure AD B2C - Supporting a daemon app along with B2C clients such as Web page and native mobile app

Single Sign Out Not working between OpenID & SAML (Azure AD B2C)

Argo Workflow SSO not working with Azure Active Directory B2C

How to query another Azure Active Directory tenant from Graph Explorer

Azure AD B2C Single Sign Out not signing out all applications when using multiple protocols

404 Not Found error via resource owner password credentials flow in Azure AD B2C

Azure B2C - REST API call Error "Message: The claims exchange <Id> specified in step <order> returned HTTP error response that could not be parsed"

Xamarin.Forms MSAL authentication java.exe exited with code 1