set up of custom policy in B2C to SSO using MS Entra as a SAML Idp

Question

I have an application linked to Ms Entra, I have this application (App1) set up as Enterprise Application to use SSO. This application has not many users (3). It is meant to use SAML.

Some settings: certificates list of claims returned by Entra

On the other hand, I have a B2C tenant that is meant to use this MS Entra Application for SSO and I need to retrieve the email address that belongs to the sign in user.

I have copied the certificate from MS Entra and added it to SamlAssertionSigning metadata (done this in B2C through portal), and the other certificate SamlMessageSigning is a new one.

The main problem is that I can't grab the info that is coming from the SAML assertion (Entra application)

I have the following code:

 <TechnicalProfile Id="MsEntraId-SAML2">
                    <DisplayName>Salesforce</DisplayName>
                    <Description>ENtra SAML</Description>
                    <Protocol Name="SAML2" />
                    <Metadata>
                        <!-- <Item Key="RequestsSigned">false</Item> -->
                        <Item Key="ResponsesSigned">false</Item>
                        <Item Key="WantsEncryptedAssertions">false</Item>
                        <Item Key="WantsSignedAssertions">false</Item>
                        <Item Key="PartnerEntity">https://login.microsoftonline.com/<guidhere>/federationmetadata/2007-06/federationmetadata.xml</Item>
                    </Metadata>
                    <CryptographicKeys>
                                <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_EntraMs"/>
 
                        <Key Id="SamlMessageSigning"
                             StorageReferenceId="B2C_1A_MsEntraSAMLCert" />
                    </CryptographicKeys>
                    <OutputClaims>
                        <OutputClaim ClaimTypeReferenceId="UserPrincipalName"/>
                        <OutputClaim ClaimTypeReferenceId="userPrincipalName"/>
                        <OutputClaim ClaimTypeReferenceId="Email" Required="true" PartnerClaimType="Email"/>
                        <OutputClaim ClaimTypeReferenceId="objectid" PartnerClaimType="Subject"/>
                        <OutputClaim ClaimTypeReferenceId="issuerUserId"
                                     PartnerClaimType="userprincipalname" DefaultValue="not found"/>
                        <OutputClaim ClaimTypeReferenceId="givenName"
                                     PartnerClaimType="user.givenname" />
                        <OutputClaim ClaimTypeReferenceId="surname"
                                     PartnerClaimType="family_name" />
                        <OutputClaim ClaimTypeReferenceId="email"
                                     PartnerClaimType="user.mail" />

                        <OutputClaim ClaimTypeReferenceId="displayName"
                                     PartnerClaimType="username" />
                        <OutputClaim ClaimTypeReferenceId="authenticationSource"
                                     DefaultValue="socialIdpAuthentication" />
                        <OutputClaim ClaimTypeReferenceId="identityProvider"
                                     DefaultValue="entra.com" />
                    </OutputClaims>
                    <OutputClaimsTransformations>
                        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
                        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
                        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
                        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
                    </OutputClaimsTransformations>
                    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp" />
                </TechnicalProfile>

and then I have the following in the relying party:

<RelyingParty>
        <DefaultUserJourney ReferenceId="SignUpOrSignInMsEntra" />
        <UserJourneyBehaviors>
            <ScriptExecution>Allow</ScriptExecution>
        </UserJourneyBehaviors>
        <!-- <Endpoints> -->
        <!-- points to refresh token journey when app makes refresh token request -->
        <!-- <Endpoint Id="Token" UserJourneyReferenceId="RedeemRefreshToken" /> -->
        <!-- </Endpoints> -->
        <TechnicalProfile Id="PolicyProfile">
            <DisplayName>PolicyProfile</DisplayName>
            <Protocol Name="OpenIdConnect" />
            <OutputClaims>
             <OutputClaim ClaimTypeReferenceId="userprincipalname" PartnerClaimType="UserPrincipalName"/>
                        <OutputClaim ClaimTypeReferenceId="Email"/>
                        <OutputClaim ClaimTypeReferenceId="objectid"/>
                <OutputClaim ClaimTypeReferenceId="issuerUserId"/>
                <OutputClaim ClaimTypeReferenceId="displayName"/>
                              <OutputClaim ClaimTypeReferenceId="userPrincipalName"/>
<OutputClaim ClaimTypeReferenceId="userPrincipalName"/>
                <OutputClaim ClaimTypeReferenceId="givenName" />
                <OutputClaim ClaimTypeReferenceId="surname" />
                <OutputClaim ClaimTypeReferenceId="email"
                             PartnerClaimType="user.mail" />
                <OutputClaim ClaimTypeReferenceId="objectId"
                             PartnerClaimType="sub" />
                <OutputClaim ClaimTypeReferenceId="tenantId"
                             AlwaysUseDefaultValue="true"
                             DefaultValue="{Policy:TenantObjectId}" />
                <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
            </OutputClaims>
            <SubjectNamingInfo ClaimType="sub" />
        </TechnicalProfile>
    </RelyingParty>
            

so far, email is not coming back, userprincipalName all of them come from B2C, and the rest that are linked to Entra are not appearing.

Answer 1

the claims were not following the expected name, this will fix it for email address