azure b2c SAML: AuthRequest does not have assertion consumer service URL

Question

i configured the saml with azure b2c.

following is my azure b2c menifest file.

{
    "id": "xxx",
    "acceptMappedClaims": null,
    "accessTokenAcceptedVersion": 2,
    "addIns": [],
    "allowPublicClient": true,
    "appId": "xxx",
    "appRoles": [],
    "oauth2AllowUrlPathMatching": false,
    "createdDateTime": "2023-07-28T07:24:33Z",
    "description": null,
    "certification": null,
    "disabledByMicrosoftStatus": null,
    "groupMembershipClaims": null,
    "identifierUris": [
        "ABC"
    ],
    "informationalUrls": {
        "termsOfService": null,
        "support": null,
        "privacy": null,
        "marketing": null
    },
    "keyCredentials": [],
    "knownClientApplications": [],
    "logoUrl": null,
    "logoutUrl": null,
    "name": "A",
    "notes": null,
    "oauth2AllowIdTokenImplicitFlow": false,
    "oauth2AllowImplicitFlow": false,
    "oauth2Permissions": [],
    "oauth2RequirePostResponse": false,
    "optionalClaims": null,
    "orgRestrictions": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [],
    "preAuthorizedApplications": [],
    "publisherDomain": "sample.onmicrosoft.com",
    "replyUrlsWithType": [
        {
            "url": "https://sample.com/api-gateway/auth-method/acs",
            "type": "Web"
        }
    ],
    "requiredResourceAccess": [
        {
            "resourceAppId": "dddd-0000-0000-c000-dd",
            "resourceAccess": [
                {
                    "id": "7427sadse0e9-2fba-42fe-b0c0-848c9e6a8182",
                    "type": "Scope"
                },
                {
                    "id": "e1fe6dd8-ba31-4d61-8sad9e7-88639da4683d",
                    "type": "Scope"
                },
                {
                    "id": "37f7f235-527c-4136-accdasd-4a02d197296e",
                    "type": "Scope"
                }
            ]
        }
    ],
    "signInUrl": null,
    "signInAudience": "AzureADMsadyOrg",
    "tags": [],
    "tokenEncryptionKeyId": null
}

when i try to logged in i recived and error response called

"SAML status error: Unsuccessful operation: <ns0:Status xmlns:ns0="urn:oasis:names:tc:SAML:2.0:protocol"> <ns0:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />ns0:StatusMessage Application registered corresponding to IssuerUri "ABC" in AuthRequest does not have assertion consumer service URL "https://sample.com/api-gateway/auth-method/acs" specified in its metadata.</ns0:StatusMessage>ns0:StatusDetailfalse </ns0:StatusDetail></ns0:Status>\nApplication registered corresponding to IssuerUri "ABC" in AuthRequest does not have assertion consumer service URL "https://sample.com/api-gateway/auth-method/acs" specified in its metadata. from None"

Answer 1

For anyone following the same Microsoft Tutorial: filling the samlMetadataUrl and replyUrlsWithType were not enough for me, as I was getting the same error. Only after I set accessTokenAcceptedVersion value in the App's manifest back to null I was able to make it work.

Answer 2

I followed this MS Doc to configure SAML with Azure AD B2C.

Initially, I created one policy key named B2C_1A_SamlIdpCert in my B2C tenant:

Now, make sure to include IssuerUri metadata key while adding Claims Provider in your TrustFrameworkExtensions.xml file:

<ClaimsProvider>
    <DisplayName>Token Issuer</DisplayName>
    <TechnicalProfiles>

      <!-- SAML Token Issuer technical profile -->
      <TechnicalProfile Id="Saml2AssertionIssuer">
        <DisplayName>Token Issuer</DisplayName>
        <Protocol Name="SAML2"/>
        <OutputTokenFormat>SAML2</OutputTokenFormat>
        <Metadata>
          <Item Key="IssuerUri">https://srib2caadtenant.onmicrosoft.com/SAMLApp1</Item>
        </Metadata>
        <CryptographicKeys>
          <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>
          <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>
        </CryptographicKeys>
        <InputClaims/>
        <OutputClaims/>
        <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer"/>
      </TechnicalProfile>

      <!-- Session management technical profile for SAML-based tokens -->
      <TechnicalProfile Id="SM-Saml-issuer">
        <DisplayName>Session Management Provider</DisplayName>
        <Protocol Name="Proprietary" Handler="Web.TPEngine.SSO.SamlSSOSessionProvider, Web.TPEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"/>
      </TechnicalProfile>

    </TechnicalProfiles>
 </ClaimsProvider>

I created one custom policy named B2C_1A_SIGNUP_SIGNIN_SAML that looks like:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<TrustFrameworkPolicy
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://schemas.microsoft.com/online/cpim/schemas/2013/06"
  PolicySchemaVersion="0.3.0.0"
  TenantId="srib2caadtenant.onmicrosoft.com"
  PolicyId="B2C_1A_signup_signin_saml"
  PublicPolicyUri="http://srib2caadtenant.onmicrosoft.com/B2C_1A_signup_signin_saml">

  <BasePolicy>
    <TenantId>srib2caadtenant.onmicrosoft.com</TenantId>
    <PolicyId>B2C_1A_TrustFrameworkExtensions</PolicyId>
  </BasePolicy>

  <UserJourneys>
    <UserJourney Id="SignUpOrSignIn">
      <OrchestrationSteps>
        <OrchestrationStep Order="4" Type="SendClaims" CpimIssuerTechnicalProfileReferenceId="Saml2AssertionIssuer"/>
      </OrchestrationSteps>
    </UserJourney>
  </UserJourneys>

  <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpOrSignIn" />
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="SAML2"/>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="displayName" />
        <OutputClaim ClaimTypeReferenceId="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" />
        <OutputClaim ClaimTypeReferenceId="email" DefaultValue="" />
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="" />
        <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="objectId"/>
      </OutputClaims>
      <SubjectNamingInfo ClaimType="objectId" ExcludeAsClaim="true"/>
    </TechnicalProfile>
  </RelyingParty>
</TrustFrameworkPolicy>

Now, I registered one Azure AD B2C application and added below redirect URIs:

Make sure to change the above application’s Manifest by modifying identifier URI to the same as issuerUri in the claims provider:

To test this, I entered these details in SAML Test application like this:

When I clicked on Login, it redirected me to Sign in and sign up page:

After signing in successfully, I got the below screen:

When I gave wrong value to issuer and identifier as ABC, I too got a similar error:

In your case, make sure to add issuer uri metadata in the claims provider element and update your App’s Manifest identifier URI with the same value to resolve the error.