Reputation: 18556
B2C as SAML IDP can no longer be set up after breaking change to identifierUris
I am currently implementing SAML sign in for our B2C tenants based on the documentation. I already did this a couple of weeks ago as a proof of concept. However, the recent breaking change now prevents me from implementing the solution.
I now get this error when I try to set up the identifierUris.
Failed to update B2C-SamlSignIn application. Error detail: Values of IdentifierUris property must use a verified domain of the organization or its subdomain:
In my working proof of concept, I had a identifierUrl which does not fit into the new requirements for the domain. Without it, the solution is no longer working with the external application I am trying to connect. I get a redirect loop when I initiate login. The loop indicates that the removed identifierUri is the issue:
<samlp:StatusMessage>Application registered corresponding to IssuerUri https://someotherdomain/somethingspecific in AuthRequest does not have assertion consumer service URL https://someotherdomain/somethingspecific/broker/saml/endpoint specified in its metadata.</samlp:StatusMessage><samlp:StatusDetail>
https://someotherdomain/somethingspecific is the value I had set up before. I cannot change the entityId in the other application.
Is there a way to get it working again? I tried creating a new application which has "Accounts in any identity provider or organizational directory (for authenticating users with user flows)", but the same restrictions seem to apply there.
Upvotes: 0
Views: 937
Answers (2)
Reputation: 39
@doodlleus - For me it still works, but only if i choose the correct "Support type". When creating the app, select e.g.
Accounts in this organizational directory only (... - Single tenant)
Once created, the manifest will have the "accessTokenAcceptedVersion" attribute set to "null", which i changed to "2" and then i could set "identifierUris"
Upvotes: 1
Reputation: 11335
There was a change made. in the App manifest, update the accessTokenAcceptedVersion to: 2.
If you do not update the accessTokenAcceptedVersion to 2 you will recieve an error message requiring a verified domain.
Upvotes: 3
Related Questions
- Microsoft.IdentityModel does not support a B2C issuer with 'tfp' in the URI
- Azure B2C - The provided token does not contain a valid issuer
- Invalid response signing in via Microsoft identity provider with Azure AD B2C
- Azure B2C UserIsNew attribute is missing when logged in with external identity providers
- Changing sign-in name in AAD B2C
- Azure AD B2C Idp initiated sign-in not working
- Error 70001 trying to sign in as Azure AD B2C user with custom Identity Experience Framework policy
- B2C SAML missing claims
- Internal Server Error in B2C for Email/UPN in Username Field
- Azure B2C The "Identity Experience Framework" is missing in the portal