SAML TechnicalProfile

[lastbuilders]

Hi Marius,

I am working on a SSO project with several multi-tenancy applications and believe this project covers many of the use cases I have. The applications support SAML as some are quite legacy without OIDC support.

Can you confirm if this solution will work using the B2C SAML TechnicalProfile and also if the appTenantId custom attribute can be returned in the SAML Assertion as an attribute? Any guidance on this would be very much appreciated as while I have gotten the SAML B2C integration examples using custom policies working I am not very experienced with Custom Policies at this point.

Kind Regards, Lastbuilders

[mrochon]

It will work. SAML is just another profile, which can be used instead of the default JwtIssuer. You control which claims are issued in the relying party part of your IEF policy. Have a look at the B2CIEF-Upload PS in my github to help you manage policy uploads. One thing I am looking at changing in the REST functions is to define a separate url path segment for APIs that are called from IEF vis a vis these called from the web app. The latter are protected withan OAuth2 token. The former with a certificate. Using a path segment will make it easier to exclude the app-callable APIs from certificate requirement in Azure App Service (if you are using that for your REST functions).

[lastbuilders]

Cheers Marius,

I have tweaked my SAML sample to send back a custom claim from a Azure Function call which is working so good progress there.

I have a few queries to get me going with this project in my B2C Tenant now:

1. I am a bit unclear on configuring the appsettings.json in the rest services project. Do you have any further detail on configuring these values ? These will need to be tweaked based on my B2C tenant and the App Service. Does it also need an App Registration in the B2C tenancy?

2. Similarly in the B2CMultiTenant app do you have any further detail on the settings for the appsettings.json here?

Kind Regards, Lastbuilders

[mrochon]

For REST appsettings, you will need to generate your own X509 cert and use it to authorize calls from IEF (or dispense with authz altogether while developing). Cert-related values are then used in the settings. REST functions need to use MS Graph to access your B2C tenant. You will need to configure ClientCreds that in the AAD blade of your B2C tenant. For the app you will need to configure standard stuff needed by any B2C apps (AzureAD section) and values used to create invitations for users to join a tenant (Invitation section). Let me know if you get stuck. We can perhaps arrange a call to clear it up.

[lastbuilders]

Thanks Marius,

I will look at it tomorrow and let you know how I am getting on. I am very hopeful this solution will work for us, especially as SAML will also work with it.

Can you comment on my comments here from the RestFunctions appsettings file:

"B2C": {

"Instance": "https://b2cmultitenant.b2clogin.com", - My B2c Tenant
"TenantId": "d06b10f6-c712-40c1-9617-cec9c7d02390", - My Tenant ID for B2c Tenant
"ClientId": "62e7e7ea-a2cb-42e2-b356-f53424c67c4e", - Can you confirm where this ID is found?
"Policy": "b2c_1a_mtsusi" },

ClientCreds": {

"Instance": "https://login.microsoftonline.com/", - Not changing
"TenantId": "b2cmultitenant.onmicrosoft.com", - My B2c Tenant "ClientId": "08e86a26-1465-4eca-833a-48a08e7f1018" }, - Can you confirm where this ID is found?

ClientCreds in the RestFunctions appsettings does not have an entry for clientsecret either. Is this correct?

Kind Regards, Lastbuilders

[mrochon]

The ClientId in the B2C section comes from app registration-application id is displayed after step 8. You do not need an app secret here. ClientId in the ClientCreds section comes from from registering the same app again for use of GraphAPI.

[lastbuilders]

Thanks for the guidance Marius,

Apologies for all the questions and this quite long post.

I have set those 3 apps registrations up now n my B2c Tenant.

a. for the B2CMultiTenant with a name of "b2cmultitenant" and added application permissions to access the AD Graph Directory.Read.All and Directory.ReadWrite.All. I set the appsetting json for this project as follows: "AzureAD": { "TenantId": "{My Tenant ID}", "ClientId": "{Client ID of B2CMultiTenant App Registration}", "Domain": "{My B2C Tenant}.onmicrosoft.com" }, "Invitation": { "Domain": "{My B2C Tenant}.onmicrosoft.com", "ClientId": "{Same Client ID of B2CMultiTenant App Registration}", "InvitationPolicy": "B2C_1A_MTInvitation", "Issuer": "b2cmultitenant", "Audience": "b2cmultitenant", "ValidityHours": 72, "RedirectPath": "/members/redeem" }

b. One for RestFunctions without application permissions for AD Graph called "RestFunctions" Its details are in this section of appsettings of Restfunction project "B2C": { "Instance": "{My B2C Tenant}https://.b2clogin.com", "TenantId": "{My Tenant ID}", "ClientId": "{Client ID of RestFunctionsApp Registration}", "Policy": "b2c_1a_mtsusi" },

c. One for the call from restfunctions to AD Graph called "GraphAPI" with application permissions for AD Graph called "RestFunctions" Its details are in this section of appsettings of Restfunction project "ClientCreds": { "Instance": "https://login.microsoftonline.com/", "TenantId": "{My B2C Tenant}.onmicrosoft.com", "ClientId": "{Client ID of GraphAPIRegistration}" },

For the certificate referenced in RestFunctions I have registeredB2CIEFAuth.cer from the repo in my tenant for now and called it B2C_1A_RESTClientCert. Is that ok?

As I said earlier I have set myB2C tenant up for the SAML Profile and it works with that sample so the IEF and ProxyIEF Apps are set up ok.

I have deleted all the SAML custom policies and am tweaking those from the multitenant folder and wish to confirm the changes required.

1. Replace "yourtenant" with new  tenant value in all policies 

2. In Invitation.xml replace PublicPolicyUri="http://mrochonb2cprod.onmicrosoft.com/B2C_1A_Invitation">  with new  tenant value 

3. Replace 3 instances of  <Item Key="ServiceUrl"> in TrustFrameworkExtensions.xml with new app service url 
  <Item Key="ServiceUrl">{RestGetTenantForUser}</Item>  replace  with https://{My App service name }.azurewebsites.net/api/getuserroles
 <Item Key="ServiceUrl">{RestTenantCreate}</Item> replace with https://{My App service name }.azurewebsites.net/api/
 <Item Key="ServiceUrl">{RestGetOrJoinTenant}</Item>  replace with https://{My App service name }.azurewebsites.net/api/member

1. I get an error for the loadUri entry when left as is in TrustFrameworkExtensions during upload. 
  <LoadUri>{SUSI_UI}</LoadUri> 
I believe this needs to link to the IdPSelect.html file from the UI folder in the  repo so I have added it to the publically accessible storage account and set the url for this  here. Is this correct? 

5. Can you advice what values these need to be replaced with again in TrustFrameworkExtensions.xml  and InvitationExtensions.xml
 <Item Key="ApplicationObjectId">{ExtObjectId}</Item>
        <Item Key="ClientId">{ExtAppId}</Item>
Currently I have these set to the "GraphAPI" App Registration mentioned above e with application permissions to access the AD Graph Directory.Read.All and Directory.ReadWrite.All. 

6. A number of additional secrets need to be set up for the TrustFrameworkExtensions.xml such as 
GoogleSecret
MeraridomSecret
Do these need to be manual or generated?  I have created these as manual.

7. The following  additional secret needed to be set up for theInvitationExtensions.xml
InvitationTokenSigningKey
Does this need to be manual or generated? 
I have created this as generated type.

Do any other values need to be replaced in these Policies?

After my tweaks above all the policies are now uploading without error. Next is to try and test them :). Have you any pointers on how to test and troubleshoot the various parts in the solution?

Kind Regards, Lastbuilders