Is iDP initiated SSO supported with a custom SAML iDP in Azure AD B2C?

Question

I am working on adding a custom SAML 2.0 identity provider (Okta) to use with my B2C tenant. I have configured it and it works great when I initiate the login from my application. However, when I initiate the login from the identity provider (Okta) it fails to login. The first attempt I received this error from B2C: "does not specify first step or the first step is not a claims exchange". As a result of this error, I removed the extra claims providers from the custom policy so the ClaimsExchange was the first journey step and then I received this error, "Specified method is not supported.".

Is this scenario supported? If so, what changes to the custom policies need to be done to support it?

Answer 1

Looking at the documentation it is possible:

• Define a SAML technical profile in an Azure Active Directory B2C custom policy

There is metadata that you will have to specify:

• IdpInitiatedProfileEnabled:

Indicates whether a single sign-on session profile is enabled that was initiated by a SAML identity provider profile. Possible values: true or false. The default is false. In the flow initiated by the identity provider, the user is authenticated externally and an unsolicited response is sent to Azure AD B2C, which then consumes the token, executes orchestration steps, and then sends a response to the relying party application.

Answer 2

Azure AD B2C doesn't currently support IdP initiated SSO flows with "External" federated identity providers as of posting this answer, referenced in Microsoft's documentation.

We don't currently support scenarios where the initiating identity provider is an external identity provider federated with Azure AD B2C, such as Active Directory Federation Services or Salesforce. IdP-initiated flow is supported only for local account authentication in Azure AD B2C.