I am configuring our B2C tenant to issue SAML response, via Custom Policy, to one of our vendors. My SAML Idp will authenticate Local Accounts in our B2C tenant and issue the SAML response via a Idp initiated SSO flow (i.e. https : //tenantname.b2clogin.com/tenantname.onmicrosoft.com/B2C_1A_POLICYNAME/generic/login?EntityId=https://tenantname.onmicrosoft.com/MyAADB2CAppForSamlSso).
And I am having trouble setting up the AssertionConsumerService properly.
The SAML response will be sent properly to the intended URL if I configure the AssertionConsumerService in the Relying Party XML as an metadata "Item Key="PartnerEntity" and enclosed by "<![CDATA[" tag.
Edit: sorry, but stackoverflow wouldn't display the actual XML code for the item key, the syntax "<![CDATA[", and the EntityDescriptor XML codes that comes before the XML shown below.
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https : //www.MyCompany.com/cl/SamlResponseReceiver" />
</SPSSODescriptor>
But if I don't include the above code in the RP XML. Instead, in my manifest of the application "MyAADB2CAppForSamlSso" I set the "replyUrlsWithType, and it won't work.
"replyUrlsWithType": [
{
"url": "https : //wwww.MyCompany.com/cl/SamlResponseReceiver",
"type": "Web"
}
Application Insight would show the following error
"Application registered corresponding to EntityId 'https://tenantname.onmicrosoft.com/MyAADB2CAppForSamlSso' has no assertion consumer service URL specified in its metadata."
In the manifest the metadata has always been set to the following:
samlMetadataUrl": "https://tenantname.b2clogin.com/tenantname.onmicrosoft.com/B2C_1A_POLICYNAME/samlp/metadata"
When I view the metadata returned from the above metadata URL the AssertionConsumerService is the following:
And it isn't what I configured for "replyUrlsWithtype" in the manifest.
I couldn't just sticking with configuring the AssertionConsumerService in the RP XML because the production URL contains special characters such as "?" and "=" and I haven't been able make the URL works in the RP XML no matter how I tried to escape the special characters or encode them.
Please points out my misunderstanding and what what I am missing.
ps please ignore the unnecessary space in the URLs. Without them stackoverflow thinks my question is a spam
Thank You. Sam
Be able to set up an AssertionConsumerService URL that contains special characters (i.e. "?", "=")