SAML protocol support
Azure AD B2C currently supports OpenID Connect and OAuth 2.0. Add SAML protocol support as well.
We are working to support SP-initiated SSO as well. However, we don’t have timing on when it would available to customers.
Large organization commented
We have the same requirement as Andrew describes, to use B2C as IDP to support SSO for SAML applications
This feature is really needed in Production at the earliest.
Warwick Jaensch commented
SAML2 Relying Party integration with B2C as the iDP via Service Provider initiated requests works well with Custom Policies. I followed this guide:
then used this test SP tool:
Everything worked well.
we ahve a similar requirement
Chris Imm commented
We also have the same requirement as Andrew and Stephen below. We need a B2C directory to be able to respond with a SAML Response to any Service Provider that uses SAML. I have scoured the internet and attended the Tech Summit in San Francisco looking for an answer to this, and so far have only received conflicting responses.
Unfortunately we are getting close to signing a multi-year contract with a competitor because of the lack of clarity.
Even if the functionality is not currently available, any authoritative response outlining a release plan would be very beneficial in our B2C planning.
Stephen Walsh commented
We have the same requirement as Andrew describes below, to use B2C to support SSO for SAML applications
The response & link provided (https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview-custom) describe using SAML as an idP for B2C, rather than usng B2C as an idP for SAML Service Providers
Andrew Seymour commented
Can we ensure this doesn't get dropped because of a misunderstand of what the feature is?
I believe the capability can be achieved with custom policies as described here: http://blogs.quovantis.com/saml-based-sso-with-azure-ad-b2c-as-an-idp/
and in simple SAML terms we want Azure B2C to operate as a IdP (Identity Provider) to support the single sign on of SAML 2.0 compliant Service Providers (SP).
Can the Microsoft team confirm this feature is still coming in Q1 2018 as an out of the box capability?
Richard Ward commented
Just to add to Eric Grover below, this feature request was not to support SAML as an Identity Provider, but rather support SAML 2.0 as an authentication mechanism. i.e. we plug the B2C details into our SAML 2.0 aware Relying Party and it send back the required SAML 2.0 tokens to the application.
Unless I am missing something the changes to use custom policies now allow us to use SAML as an IdP for the B2C directory, but not enable the SAML 2.0 endpoints in B2C
Eric Grover commented
Jason, the link you provided is for adding a SAML relying party (AD FS, Salesforce) as an identity provider for AAD B2C. This request is to enable AAD B2C as a SAML identity provider, which is a different capability.
Same issue here. We are moving internal apps to use OAuth with B2C however, we have many third party Cloud applications which do accept SAML. If B2C could provide SAML interface this would be a true game changer for us. Right now our customer are forced to maintain separate logins which is a huge waste of time and resources.
We at our organization really looking for this feature. We have various customers using Azure AD B2C using OpenID but some of the customers are looking for SAML2 support with B2C. This is now on critical path for us and wanted this feature at earliest.
Does this mean that its easy to integrate an existing application that supports this protocol? If yes can we have an examples. The following is what I found for Azure premium not sure if we can use this with Azure B2C
We have a requirement where we are building secure portal for our customer (approx. 300,000 users), we need to provide SSO using SAML protocol across 3 web applications (.NET based) along with self-service feature (user registration, password reset and Forgot Email etc).
As part of current solution, ADFS 3.0 + AD solution I was able to achieve SSO across all 3 web-applications however due to lack of any identity management solution in overall solution design we have adviced portal team to invoke LDAP call against AD via ESB as part of interim solution however as we know this is not one of the ideal approach from security point of view hence I started exploring WAAD + ACS solution to achieve Identity and Access Management solution however while exploring the same I got to know that WAAD login page customization is very much limited to logo/illustration and sign-in description only where as our requirement is to embed few URL in sign-in page (where as I was able to customize login page as per business requirement in ADFS 3.0) hence I was looking for some other option and I found AD B2S which is well suited to our Identity Management requirement however I am not sure how I can enable SSO with 2 other on premise applications.
This is a major roadblock for us and might have to try some other option where as considering we are existing MS Azure customer we are interested in using MS IAAS solution.
Please advice if SAML based SSO using AD B2S is possible by any means or WAAD login page is possible to customize.