MS Azure AD B2C作为SAML IDP无法正常工作 [英] MS Azure AD B2C as SAML IDP not working
问题描述
背景
我有一个应用程序,用户可以通过AD B2C进行注册/签名.在该应用程序中,有一个链接将重定向到另一个在SAML上运行的应用程序,因此希望MS Azure充当IDP并将SAML发送到第三个应用程序.
I have an application in which users signup/sign through AD B2C. In the application, there is a link which will redirect to another application which works on SAML so want MS Azure to work as IDP and sends SAML to the third application.
我们通过非图库应用程序在AAD(不是AD B2C)中实现了这一目标,但是在AD B2C中遇到了问题.
We achieved this in AAD (not AD B2C) through the non-gallery application but getting problems in AD B2C.
We followed this document https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md but when we hit the URL then it says "AADB2C: An exception has occured".
基本文件- https://www.dropbox.com/s/ro6arbs57c43el2/base.xml?dl = 0
扩展文件- https://www.dropbox.com/s/uqojtk432b3wny1/base_Extensions.xml?dl = 0
SignInSaml文件- https://www.dropbox.com/s/i950s4bwwagry5k/signinsaml.xml?dl = 0
SignInSaml file - https://www.dropbox.com/s/i950s4bwwagry5k/signinsaml.xml?dl=0
推荐答案
您能做的最好的事情是首先使用OIDC,并确认该策略正在运行,然后覆盖使用SAML发行JWT令牌的步骤
The best thing you could do is work with OIDC first and confirm the policy is working and then overwrite the step where you issue a JWT token with SAML
使用SAML时,我使用这种格式
When working with SAML i have this format
基础 基本扩展名(如果您愿意的话,我倾向于不这样做) policy-OIDC(此扩展基础) policy-SAML(这扩展了OIDC)
Base Base-extensions (if you want it - i tend not to) policy-OIDC (This extends base) policy-SAML (This extends OIDC)
然后在策略SAML中,我覆盖了我的用户流程编排步骤,该步骤调用了JWTIssuer,然后调用了我的SAML令牌创建者
In the policy SAML I then override my user journey orchestration step that calls the JWTIssuer and then call my SAML token creator
之所以采用这种方法,是因为B2C已设计为可与OIDC一起使用,您可以确认旅程在OIDC中按预期工作,然后切换到SAML
The reason for this approach is B2C has been designed to work with OIDC , you can confirm that the journey is working as expected in OIDC and then switch to your SAML
Id也使用旅程记录器,我发现较旧的B2C旅程记录器比应用洞察力更好,但两者都跟踪相同的数据
Id also use the journey recorder, I find the older B2C journey recorder you get better than app insights but both track the same data
在办公室检查了我的SAML后,您丢失了一些META数据来告诉SAML如何在您的政策中行事
After checking my SAML in the office your missing some META data to tell SAML how to behave in your policy
<Metadata>
<Item Key="IdpInitiatedProfileEnabled">true</Item>
<Item Key="RequestsSigned">false</Item>
<Item Key="WantsSignedResponses">true</Item>
<Item Key="ResponsesSigned">true</Item>
<Item Key="AssertionsEncrypted">false</Item>
<Item Key="WantsEncryptedAssertions">false</Item>
<Item Key="PartnerEntity">https://my-calling-application/authservices</Item>
</Metadata>
<SubjectNamingInfo ClaimType="UserId" />
您的SubjectNamingInfo也需要 http://schemas.microsoft.com/identity/claims/userprincipalname
Your SubjectNamingInfo will also need to be http://schemas.microsoft.com/identity/claims/userprincipalname
这是您在基本策略中定义的SAAML名称
as this is the SAAML name you defined in your base policy
这篇关于MS Azure AD B2C作为SAML IDP无法正常工作的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!