You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory-b2c/saml-technical-profile.md
+6-18Lines changed: 6 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: Define a SAML technical profile in a custom policy in Azure Active Directory B2C | Microsoft Docs
2
+
title: Define a SAML technical profile in a custom policy in Azure Active Directory B2C
3
3
description: Define a SAML technical profile in a custom policy in Azure Active Directory B2C.
4
4
services: active-directory-b2c
5
5
author: mmacy
@@ -8,7 +8,7 @@ manager: celestedg
8
8
ms.service: active-directory
9
9
ms.workload: identity
10
10
ms.topic: reference
11
-
ms.date: 12/21/2018
11
+
ms.date: 11/04/2019
12
12
ms.author: marsma
13
13
ms.subservice: B2C
14
14
---
@@ -54,7 +54,6 @@ The following diagram shows the metadata and certificate exchange:
54
54
55
55
56
56
57
-
58
57
## Digital encryption
59
58
60
59
To encrypt the SAML response assertion, the identity provider always uses a public key of an encryption certificate in an Azure AD B2C technical profile. When Azure AD B2C needs to decrypt the data, it uses the private portion of the encryption certificate.
@@ -129,7 +128,7 @@ The technical profile also returns claims that aren't returned by the identity p
129
128
| NameIdPolicyFormat | No | Specifies constraints on the name identifier to be used to represent the requested subject. If omitted, any type of identifier supported by the identity provider for the requested subject can be used. For example, `urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified`. **NameIdPolicyFormat** can be used with **NameIdPolicyAllowCreate**. Look at your identity provider’s documentation for guidance about which name ID policies are supported. |
130
129
| NameIdPolicyAllowCreate | No | When using **NameIdPolicyFormat**, you can also specify the `AllowCreate` property of **NameIDPolicy**. The value of this metadata is `true` or `false` to indicate whether the identity provider is allowed to create a new account during the sign-in flow. Look at your identity provider’s documentation for guidance on how to do so. |
131
130
| AuthenticationRequestExtensions | No | Optional protocol message extension elements that are agreed on between Azure AD BC and the identity provider. The extension is presented in XML format. You add the XML data inside the CDATA element `<![CDATA[Your IDP metadata]]>`. Check your identity provider’s documentation to see if the extensions element is supported. |
132
-
| IncludeAuthnContextClassReferences | No | Specifies one or more URI references identifying authentication context classes. For example, to allow a user to sign in with username and password only, set the value to `urn:oasis:names:tc:SAML:2.0:ac:classes:Password`. To allow sign-in through username and password over a protected session (SSL/TLS), specify `PasswordProtectedTransport`. Look at your identity provider’s documentation for guidance about the **AuthnContextClassRef** URIs that are supported. |
131
+
| IncludeAuthnContextClassReferences | No | Specifies one or more URI references identifying authentication context classes. For example, to allow a user to sign in with username and password only, set the value to `urn:oasis:names:tc:SAML:2.0:ac:classes:Password`. To allow sign-in through username and password over a protected session (SSL/TLS), specify `PasswordProtectedTransport`. Look at your identity provider’s documentation for guidance about the **AuthnContextClassRef** URIs that are supported. Specify multiple URIs as a comma-delimited list. |
133
132
| IncludeKeyInfo | No | Indicates whether the SAML authentication request contains the public key of the certificate when the binding is set to `HTTP-POST`. Possible values: `true` or `false`. |
134
133
135
134
## Cryptographic keys
@@ -142,20 +141,9 @@ The **CryptographicKeys** element contains the following attributes:
142
141
| SamlAssertionDecryption |Yes | The X509 certificate (RSA key set) to use to decrypt SAML messages. This certificate should be provided by the identity provider. Azure AD B2C uses this certificate to decrypt the data sent by the identity provider. |
143
142
| MetadataSigning |No | The X509 certificate (RSA key set) to use to sign SAML metadata. Azure AD B2C uses this key to sign the metadata. |
144
143
145
-
## Examples
144
+
## Next steps
145
+
146
+
See the following articles for examples of working with SAML identity providers in Azure AD B2C:
146
147
147
148
-[Add ADFS as a SAML identity provider using custom policies](active-directory-b2c-custom-setup-adfs2016-idp.md)
148
149
-[Sign in by using Salesforce accounts via SAML](active-directory-b2c-setup-sf-app-custom.md)
0 commit comments