diff --git a/Policies/SAMLIdP/readme.md b/Policies/SAMLIdP/readme.md index d23c713..0ac930b 100644 --- a/Policies/SAMLIdP/readme.md +++ b/Policies/SAMLIdP/readme.md @@ -21,6 +21,7 @@ In order for the B2C users to sign in to AAD managed resources, either the resou 3. The resulting email is included in the SAML token as "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", as required by AAD. 4. Setup your AAD to use B2C as SAML IdP. The metadata you will need to provide to AAD can be found at `https://.b2clogin.com/.onmicrosoft.com//samlp/metadata` +4.5 Note that you will need to create a Policy Key called B2C_1A_SamlIdpCert following the instructions here: https://docs.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy#obtain-a-certificate 5. Modify your applications include a domain_hint when needing to sign in the B2B users from B2C. (alternatively, these users would need to use transformed email address when challenged by AAD), e.g.: [https://login.microsoftonline.com/7d1abfb9-9f4e-4ec6-8280-722dd7bf9b50/oauth2/v2.0/authorize?client_id=1ef7588f-aa2b-43e9-9961-abf3a4f05e88&nonce=nonce&response_mode=fragment&response_type=id_token&scope=openid+profile+email&sso_nonce=dummyNonce&domain_hint=b2clogin.com](https://login.microsoftonline.com/7d1abfb9-9f4e-4ec6-8280-722dd7bf9b50/oauth2/v2.0/authorize?client_id=1ef7588f-aa2b-43e9-9961-abf3a4f05e88&nonce=nonce&response_mode=fragment&response_type=id_token&scope=openid+profile+email&sso_nonce=dummyNonce&domain_hint=b2clogin.com) (Note: you can use the above link to start the process but since I have not invited you to my AAD, you will get an error at the end of the process saying just that. However, that proves that the B2B process has received the correct token from B2C).