27

here is an error img

I need a federated authentication with custom policy (when user authenticated I need him to appear marked as Federated in b2c users, not Others or something else what I could achieve with single tenant), I had it before with default policy setup in azure as OpenId provider, but did not find how to do FEDERATION Authentication with OpenId in custom policy, so I did it with SAML and below what I've got.

I tried Single tenant and it is not what I need. Also problem is not with signing key, because I've already had this issue and resolved this. I created self signed certificate, uploaded it to AAD application first and to b2c policy keys after. I think the application which authenticate the federation is not an issue, because I works with default policy.

    <TechnicalProfile Id="Office-SAML2">
      <DisplayName>Microsoft Office 365</DisplayName>
      <Description>Login with your ADFS account</Description>
      <Protocol Name="SAML2"/>
      <Metadata>
        <Item Key="WantsSignedRequests">false</Item>
        <Item Key="PartnerEntity">https://login.microsoftonline.com/<b2c tenant id>/federationmetadata/2007-06/federationmetadata.xml</Item>
        <Item Key="XmlSignatureAlgorithm">Sha256</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlCert"/>
        <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlCert"/>
      </CryptographicKeys>
      <OutputClaims>
        <OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="userPrincipalName" />
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="given_name"/>
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="family_name"/>
        <OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="email"/>
        <OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name"/>
        <OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="https://sts.windows.net/<b2c tenant id>/" AlwaysUseDefaultValue="true" />
        <OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" AlwaysUseDefaultValue="true" />
      </OutputClaims>
      <OutputClaimsTransformations>
        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
      </OutputClaimsTransformations>
      <UseTechnicalProfileForSessionManagement ReferenceId="SM-Noop"/>
    </TechnicalProfile>

I have been doing everything through this reference https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp

kenorb
  • 155,785
  • 88
  • 678
  • 743
basilio
  • 271
  • 1
  • 3
  • 4

5 Answers5

55

I ran in to this problem because I was using the ID of in the Client secret section instead of using the Application (client) ID.

Use This For The ID

randomsolutions
  • 2,075
  • 1
  • 19
  • 22
3

I have faced this error below are the possibilities:

  • This error means you have made a mistakes while configuring the Client ID OR tenant ID in your code, First please confirm that both are same as your azure portal application client and tenant.

  • In my case i had entered wrong client id in my code.

  • Please check this https://github.com/MicrosoftDocs/azure-docs/issues/24673

lazyCoder
  • 2,544
  • 3
  • 22
  • 41
2

The problem here is that the AAD Application Registration has an identifier URI that does not match that being requested in the authentication request. You can fix this by:

  1. Copying the URL in the obscured screenshot
  2. Navigating to Azure AD Blade in the Azure AD Tenant to which you want to federate with 3. Access the Enterprise Applications menu, find the App Registration by ApplicationId(ClientId)
  3. Open the Single Sign-On menu.
  4. Paste the URL from the error into the Identifier (Entity ID) option

You also need the correct Reply URL:
https://contoso.b2clogin.com/te/contoso.onmicrosoft.com/<policyd of Base>/samlp/sso/assertionconsumer

You are much better off using OpenId (which also allows for multi tenant access):
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-setup-aad-custom

Jas Suri - MSFT
  • 10,605
  • 2
  • 10
  • 20
0

For me, the problem was that my application Identifier (Entity ID) from Basic SAML Configuration menu, didn't match with the one declared by the application provider.

RookieRoo
  • 161
  • 1
  • 6
0

Adding to this, for me I had to select the following option from the Authentication options.

Supported Account Types Option

gallivantingitalian
  • 67
  • 1
  • 2
  • 5
  • Welcome to Stack Overflow! Links to external resources are encouraged, but please [edit] to add context around the link so your fellow users will have some idea what it is and why it’s there. Always quote the most relevant part of an important link, in case the external resource is unreachable or goes permanently offline. Links to other websites should always be _helpful_, but avoid making it _necessary_ to click on them as much as possible. – Fastnlight Nov 01 '22 at 17:39
  • This was the solution for me. Only works within Multi Tentant configured. If you, like me, only use "organizational directory only (Default Directory only - Single tenant)" you won't get an access_token. – lema Mar 19 '23 at 23:48