question

BlackCat-8490 avatar image
0 Votes"
BlackCat-8490 asked ·

Azure B2C SSO to SAML app at Azure AD

User can sign on to Azure B2C with social account(FB, Google) but want to SSO to SAML app at Azure AD (AZure AD is IDP). Is this possible? if yes, please send me any DOCs Thanks

azure-ad-saml-sso
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered ·

Hi @BlackCat-8490 · Thank you for reaching out.

In this scenario, for SSO experience to SAML based app, I would suggest you to directly federate the application with B2C tenant. Azure AD B2C can act as SAML IDP for the SAML based applications and at the same time it can act as Service Provider for other IDPs such as FB/Google/ADFS/Salesforce etc.

If you have above setup working, users accessing SAML based app will get redirected to B2C signup/signin page and they can select any IDP be it B2C tenant itself or other IDPs such as FB/Google/ADFS/Salesforce/other Azure AD tenant etc. to sign into the SAML application.

To see this in action, please perform below steps:
1. Access my Test SAML APP (https://samltestapp2.azurewebsites.net/SP)
2. Enter below values and click on login button:
71041-image.png
3. You will then be redirected to my B2C Signup/Signin page, where you can sign up for local account or use your FB or Azure AD account to sign into the application.
70997-image.png

Read More: https://docs.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers?tabs=windows


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (23.1 KiB)
image.png (31.7 KiB)
·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BlackCat-8490 avatar image
0 Votes"
BlackCat-8490 answered ·

Based on your comment, looks like I have to reconfigure the SAML2 app with Azure B2C instead of Azure AD. Is there an just like WHR parameter which will allow user to go directly to the Idp their accounts belong to? Try to minimize the change in user experience.

Thanks

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@BlackCat-8490 · Here’s an example of what the request would look like with “contoso.com” as the domain name hint:

 <samlp:AuthnRequest xmlns:saml=”urn:oasis:names:tc:SAML:2.0:assertion” ID=”iddebxxxxxxxxfd6a253b97205d47c6f” Version=”2.0″ IssueInstant=”2020-02-23T18:57:06.4772751Z” IsPassive=”false” AssertionConsumerServiceURL=”https://www.example.com/saml/inboundauthnresponse” xmlns:samlp=”urn:oasis:names:tc:SAML:2.0:protocol”>
   <saml:Issuer>https://www.example.com</saml:Issuer>
   <samlp:Scoping>
     <samlp:IDPList>
       <samlp:IDPEntry ProviderID=”https://contoso.com” Name=”contoso.com”/>
     </samlp:IDPList>
   </samlp:Scoping>
 </samlp:AuthnRequest>



0 Votes 0 ·
BlackCat-8490 avatar image BlackCat-8490 amanpreetsingh-msft ·

Appreciated your sample. Thanks

0 Votes 0 ·