CODEWITHSUNDEEP
azure-ad-b2cazure-ad-b2c-custom-policy
rkcp613
rkcp613

Reputation: 3

Unable to pass few claims from SAML IdP to SAML SP through Azure AD B2C custom policy

I am trying to get few claims passed from SAML IdP onto a SAML SP through azure ad b2c custom policy. I can signin and see those attributes coming from the SAML IdP but not able to pass the same to the SP. Mostly interested in getting the "groups" claims as a first step and trying to avoid making a REST call to MS graph to achieve this... Assuming these claims are already in the claims bag and hoping there is an easy way to pass onto the SP.

below is my custom signin and extension policy with the base files from SocialandLocalAccounts starter pack.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="myb2.onmicrosoft.com"
  PolicyId="**B2C_1A_SAML_TF_SP_SignIn**"
  PublicPolicyUri="http://myb2.onmicrosoft.com/B2C_1A_SAML_TF_SP_SignIn"

  TenantObjectId="f8cba1c5-22e8-4ddc-98c3-3b6afc4d5350" 
  DeploymentMode="Development" 
  UserJourneyRecorderEndpoint="urn:journeyrecorder:applicationinsights">
  
  <BasePolicy>
    <TenantId>myb2.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_SAML_TFExtensions</PolicyId>
  </BasePolicy>

  <RelyingParty>
    <DefaultUserJourney ReferenceId="X-SignIn" />
      <TechnicalProfile Id="PolicyProfile">
        <DisplayName>PolicyProfile</DisplayName>
        <Protocol Name="SAML2"/>
        <OutputClaims>
          <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
          <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
          <OutputClaim ClaimTypeReferenceId="displayName" />
          <OutputClaim ClaimTypeReferenceId="givenName" />      
          <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="last_name"/>
          <OutputClaim ClaimTypeReferenceId="ipaddr"/>
          <OutputClaim ClaimTypeReferenceId="groups" DefaultValue="" />
          <OutputClaim ClaimTypeReferenceId="role" />
        </OutputClaims>
        <SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="false"/>
      </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

SAML ClaimsProvider

Saml2AssertionIssuer

<UserJourneys>
  <UserJourney Id="X-SignIn">
    <OrchestrationSteps>
      <OrchestrationStep Order="1" Type="CombinedSignInAndSignUp" ContentDefinitionReferenceId="api.x-signin">
        <ClaimsProviderSelections>
          <ClaimsProviderSelection ValidationClaimsExchangeId="LocalAccountSigninEmailExchange" />
          <ClaimsProviderSelection TargetClaimsExchangeId="X-SignIn" />
        </ClaimsProviderSelections>
        <ClaimsExchanges>
          <ClaimsExchange Id="LocalAccountSigninEmailExchange" TechnicalProfileReferenceId="SelfAsserted-LocalAccountSignin-Email" />
        </ClaimsExchanges>
      </OrchestrationStep>
      <OrchestrationStep Order="2" Type="ClaimsExchange">
        <Preconditions>
          <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
            <Value>objectId</Value>
            <Action>SkipThisOrchestrationStep</Action>
          </Precondition>
        </Preconditions>
        <ClaimsExchanges>
          <ClaimsExchange Id="SignUpWithLogonEmailExchange" TechnicalProfileReferenceId="LocalAccountSignUpWithLogonEmail" />
          <ClaimsExchange Id="X-SignIn" TechnicalProfileReferenceId="X-SAML2" />
        </ClaimsExchanges>
      </OrchestrationStep>
      <OrchestrationStep Order="3" Type="ClaimsExchange">
        <Preconditions>
          <Precondition Type="ClaimEquals" ExecuteActionsIf="true">
            <Value>authenticationSource</Value>
            <Value>localAccountAuthentication</Value>
            <Action>SkipThisOrchestrationStep</Action>
          </Precondition>
        </Preconditions>
        <ClaimsExchanges>
          <ClaimsExchange Id="AADUserReadUsingAlternativeSecurityId" TechnicalProfileReferenceId="AAD-UserReadUsingAlternativeSecurityId-NoError" />
        </ClaimsExchanges>
      </OrchestrationStep>
      <OrchestrationStep Order="4" Type="ClaimsExchange">
        <Preconditions>
          <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
            <Value>objectId</Value>
            <Action>SkipThisOrchestrationStep</Action>
          </Precondition>
        </Preconditions>
        <ClaimsExchanges>
          <ClaimsExchange Id="SelfAsserted-Social" TechnicalProfileReferenceId="SelfAsserted-Social" />
        </ClaimsExchanges>
      </OrchestrationStep>
      <OrchestrationStep Order="5" Type="ClaimsExchange">
        <Preconditions>
          <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
            <Value>authenticationSource</Value>
            <Value>socialIdpAuthentication</Value>
            <Action>SkipThisOrchestrationStep</Action>
          </Precondition>
        </Preconditions>
        <ClaimsExchanges>
          <ClaimsExchange Id="AADUserReadWithObjectId" TechnicalProfileReferenceId="AAD-UserReadUsingObjectId" />
        </ClaimsExchanges>
      </OrchestrationStep>
      <OrchestrationStep Order="6" Type="ClaimsExchange">
        <Preconditions>
          <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
            <Value>objectId</Value>
            <Action>SkipThisOrchestrationStep</Action>
          </Precondition>
        </Preconditions>
        <ClaimsExchanges>
          <ClaimsExchange Id="AADUserWrite" TechnicalProfileReferenceId="AAD-UserWriteUsingAlternativeSecurityId" />
        </ClaimsExchanges>
      </OrchestrationStep>
      <OrchestrationStep Order="7" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer"/>
    </OrchestrationSteps>
    <ClientDefinition ReferenceId="DefaultWeb" />
  </UserJourney>
</UserJourneys>

screenshot from SAML tracer:

SAML IdP

SAML assertion issuer

Upvotes: 0

Views: 124

Answers (1)

rbrayb
rbrayb

Reputation: 46773

If you look in the base file, you see for givenName:

<DefaultPartnerClaimTypes>
          <Protocol Name="OAuth2" PartnerClaimType="given_name" />
          <Protocol Name="OpenIdConnect" PartnerClaimType="given_name" />
          <Protocol Name="SAML2" PartnerClaimType="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" />
</DefaultPartnerClaimTypes>

Using that, you simply map the claims as OutputClaim in the SAML claims provider.

Or you can use this mapping:

<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="http://schemas.microsoft.com/identity/claims/displayname" />

And ensure that they are also output in the RelyingParty.

Upvotes: 1

Related Questions