B2C SAML missing claims

Question

I'm attempting to use B2C Custom Policies to configure B2C as my SAML Idp. As a test I've set up our on premise ADFS environment as the SAML RP which seems to be required in order for the B2C logon page to work (B2C SAML doesnt support an Idp initiated session).

I've been following the guides at https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-get-started-custom and https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md to set up my B2C environment.

I get as far as showing the B2C sign-in page that the end-user receives however after I enter the credentials of an account into the B2C sign-in page I get redirected back to my RP with a SAML token however it is not parsing any of the configured claims. The SAML token is showing the following error:

<samlp:Status> 
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
     <samlp:StatusMessage>Id:410906d7-639d-4828-b28d-22f84dfa617b ; Message: Policy &apos;B2C_1A_signup_signin_saml' in tenant ' mytenant.onmicrosoft.com'' specifies the claim 'sub' for the SubjectNamingInfo, but the claim is either not present or is null.</samlp:StatusMessage> 
<IsPolicySpecificError>true</IsPolicySpecificError> 
</samlp:Status>

My SignUpOrSigninSaml.xml RP config is as follows:

<RelyingParty>
  <DefaultUserJourney ReferenceId="SignUpOrSignInSaml"/>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="SAML2" />
        <Metadata>
          <Item Key="PartnerEntity">https://adfs-test.mycorporation.com.au/FederationMetadata/2007-06/FederationMetadata.xml</Item>
          <Item Key="KeyEncryptionMethod">Rsa15</Item>
          <Item Key="DataEncryptionMethod">Aes256</Item>
          <Item Key="XmlSignatureAlgorithm">Sha256</Item>
        </Metadata>

    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="displayName" />
      <OutputClaim ClaimTypeReferenceId="givenName" />
      <OutputClaim ClaimTypeReferenceId="surname" />
    </OutputClaims>
    <!-- The ClaimType in the SubjectNamingInfo element below is a reference to the name of the claim added to the claims bag used by the token minting process.
    This name is determined in the following order. If no PartnerClaimType is specified on the output claim above, then the DefaultPartnerClaimType for the protocol specified in the claims schema if one exists is used, otherwise the ClaimTypeReferenceId in the output claim is used.

    For the SubjectNamingInfo below we use the DefaultPartnerClaimType of http://schemas.microsoft.com/identity/claims/objectidentifier, since the output claim does not specify a PartnerClaimType. -->
    <!-- <SubjectNamingInfo ClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ExcludeAsClaim="true"/> -->
    <SubjectNamingInfo ClaimType="sub" />
</TechnicalProfile>
</RelyingParty>

I've tried a few different configurations for the "SubjectNamingInfo" such as:

<SubjectNamingInfo ClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ExcludeAsClaim="true"/>

<SubjectNamingInfo ClaimType="sub" />

<SubjectNamingInfo ClaimType="name" />

But they all produce the same error.

I believe that once the SubjectNamingInfo issue is sorted the configured OutputClaims will show.

Anyone know how I can resolve this so I am able to see the claims of my user account in the token?

---Edit---

I attempted to add "sub" as an output claim however due to it not being defined in the Base file B2C wont allow it. Alternatively I tried changing the subject naming info to a claim that is already defined as an Output claim

<SubjectNamingInfo ClaimType="givenName" />

However I still seem to get the same error:

<samlp:Status> 
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /> 
<samlp:StatusMessage>Id:a3fe7ab0-4483-45b6-93f8-e75b539a3aea ; Message: The relying party technical profile of policy &apos;mytenant.onmicrosoft.com' in tenant 'B2C_1A_signup_signin_saml' specifies the claim type 'givenName' as the subject naming info claim, but the claim is not present or is null.</samlp:StatusMessage> 
<IsPolicySpecificError>true</IsPolicySpecificError>

Answer 1

It isn't common to use the sub claim as the <saml:Subject><saml:NameID> element for a SAML assertion.

It is recommended to use the objectId claim as follows.

1) Ensure the objectId claim is declared with a partner claim for the SAML2 protocol:

<ClaimType Id="objectId">
  <DisplayName>Object Identifier</DisplayName>
  <DataType>string</DataType>
  <DefaultPartnerClaimTypes>
    <Protocol Name="OAuth2" PartnerClaimType="oid" />
    <Protocol Name="OpenIdConnect" PartnerClaimType="oid" />
    <Protocol Name="SAML2" PartnerClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" />
  </DefaultPartnerClaimTypes>
</ClaimType>

2) Add the objectId claim to the <OutputClaims /> collection for the relying party technical profile and set the SubjectNamingInfo element:

<RelyingParty>
  <TechnicalProfile Id="PolicyProfile">
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="objectId" />
      <OutputClaim ClaimTypeReferenceId="displayName" />
      <OutputClaim ClaimTypeReferenceId="givenName" />
      <OutputClaim ClaimTypeReferenceId="surname" />
    </OutputClaims>
    <SubjectNamingInfo ClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ExcludeAsClaim="true"/>
  </TechnicalProfile>
</RelyingParty>

More information about SubjectNamingInfo

The ClaimType attribute for the SubjectNamingInfo element references a claim type that must be declared as an output claim for the technical profile.

This claim type is referenced by name with the following precedence:

1) If the PartnerClaimType attribute for the OutputClaim element is specified, then the ClaimType attribute for the SubjectNamingInfo element must be set to the ClaimTypeReferenceId attribute for this OutputClaim element:

<RelyingParty>
  <TechnicalProfile Id="PolicyProfile">
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" />
      ...
    </OutputClaims>
    <SubjectNamingInfo ClaimType="objectId" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ExcludeAsClaim="true"/>
  </TechnicalProfile>
</RelyingParty>

2) If the PartnerClaimType attribute for the OutputClaim element is not specified, then the ClaimType attribute for the SubjectNamingInfo element must be set to the DefaultPartnerClaimType attribute for the ClaimType element that is referenced by the ClaimTypeReferenceId attribute for this OutputClaim element:

<ClaimType Id="objectId">
  <DefaultPartnerClaimTypes>
    <Protocol Name="SAML2" PartnerClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" />
  </DefaultPartnerClaimTypes>
</ClaimType>

<RelyingParty>
  <TechnicalProfile Id="PolicyProfile">
    <OutputClaims>
      <OutputClaim ClaimTypeReferenceId="objectId" />
      ...
    </OutputClaims>
    <SubjectNamingInfo ClaimType="http://schemas.microsoft.com/identity/claims/objectidentifier" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ExcludeAsClaim="true"/>
  </TechnicalProfile>
</RelyingParty>