Reputation: 167
Azure B2C SAML Authentication - AuthRequest does not have assertion consumer service URL error
I've followed the steps from https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
While testing receiving the error "Application registered corresponding to IssuerUri "">xyz.com/suite" in AuthRequest does not have assertion consumer service URL "">xyz.com/suite/saml/AssertionConsumer" specified in its metadata.</samlp:StatusMessage>"
Using SAML tracer, I can see both my SAML Request and Response contains same AssertionConsumerServiceURL. MS document says: If you choose to configure the reply URL and logout URL in the application manifest without populating the application's metadata endpoint via the samlMetadataUrl property, Azure AD B2C will not validate the SAML request signature, nor will it encrypt the SAML response.
I can some workaround of specifying the PartnerEntity in the SP metadata URL for the Relying Party in the B2C_1A_signup_signin_saml custom policy. https://github.com/MicrosoftDocs/azure-docs/issues/61603
Unfortunately my web application security compliance does not allow to provide SP metadata endpoints. Do I need to host the SP / Appian SAML metadata file on Azure Storage account OR Is this mandatory to provide SP meta data endpoint to refer from Idp application registration manifest?
Second question, just want to make sure on the below. From MS Ref. doc: You can change the value of the IssuerUri metadata item in the SAML token issuer technical profile. This change will be reflected in the issuerUri attribute returned in the SAML response from Azure AD B2C. Your application should be configured to accept the same issuerUri during SAML response validation.
My question on the above paragraph, IssueUri example can be .onmicrosoft.com/c3bcfc1c-1234-4a3b-96e6-db0933071234 (application / client id) Is this correct?
Thanks.
Upvotes: 2
Views: 3876
Answers (1)
Reputation: 167
"The username or password provided in the request are invalid" - This issue has been resolved by granting "IdentityExperienceFramework" (User_impersonation - Delegated Type) API permission. I could not see this solution on MS documents guidance, however this has resolved my issue. thanks.
Upvotes: 1
Related Questions
- Azure AD B2C, unauthorized_client Error
- Mendix and Azure Ad B2C AuthRequest does not have assertion consumer service URL
- Authentication response received without expected accessToken
- azure b2c - an exception has occurred
- Azure AD B2C Idp initiated sign-in not working
- SAML Authentication with Azure AAD B2C and DotNetCore
- Azure B2C - PublicClientApplicatcion.AcquireTokenByUsernamePasswordAsync fails
- Azure B2C - Assertion not signed. Policy requires signed assertions
- B2C SAML missing claims
- AAD B2C doesn't authenticate correctly