B2C as IdP for SalesForce

Question

Completely new to B2C. Tried both of these walkthroughs, but I'm missing something still:

https://github.com/Azure-Samples/active-directory-b2c-advanced-policies/blob/master/Walkthroughs/RP-SAML.md

http://blogs.quovantis.com/saml-based-sso-with-azure-ad-b2c-as-an-idp/

Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still? The problem I have with app registration is that SalesForce gives me a token endpoint URL with a query string:

https://mycompany.cs79.my.salesforce.com/services/oauth2/token?so=00D1h000000Cnli

And B2C won't allow query strings in the reply URL.

Is there any way around this? Salesforce also supports OpenID I think, if that would be better?

::::::::::::UPDATE 6/22::::::::::

SAML:

I found and realized I was missing a critical step on the SalesForce side: adding the authentication provider to my domain's login page . Clicking the new link redirects me to B2C, but I get an immediate error from B2C. Application Insights shows the following exception:

The SAML technical profile 'serviceProviderMetadata' specifies a PartnerEntity URL of 'REMOVED', but fetching the metadata fails with reason 'For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.

OpenID:

Using this write-up as a guideline, I've registered the app in B2C and configured the SalesForce side.

Instead of using the Azure AD authorization endpoints, I pulled my B2C tenants endpoints from my meta data URL (login.microsoftonline.com/{tenant}/.well-known/openid-configuration).

This works for my B2C admin account, however, when I try try a test user that isn't a B2C admin I get the following error from the B2C sign-in page:

Sorry, but we're having trouble signing you in. AADSTS50020: User account 'REMOVED' from identity provider 'LINK REMOVED' does not exist in tenant 'MTB2CTest' and cannot access the application '5c8b9f4f-cf28-42fe-b629-b87251532970' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

::::::::::::UPDATE 6/23::::::::::

OpenID:

I've found that it works 100% only for my B2C admin account if I don't use a policy , but doesn't work for other accounts. When I use a policy , only accounts that signed up through the policy can authenticate with B2C (which is great) – but the token doesn't seem to be reaching SalesForce. I've created two PDFs showing the configuration details and the results from each method (policy and nopolicy) here .

Answer 1

Both of these only describe the policies needed, but I'm pretty sure I need to register an app on B2C still?

Not exactly, you no need to register an app at B2C side. All the configuration you do in Policies is enough.

Did you try Salesforce SAML SSO article https://help.salesforce.com/articleView?id=sso_saml.htm&type=5

Check the above article and try to do configurations at Salesforce side and grab the details required by SAML RP

I hope by following both SAML RP and Configure SAML Settings for Single Sign-On articles you can configure B2C as IDP for Salesforce.

Answer 2

I stumbled on this question while trying to implement Azure AD B2C as an IdP for Salesforce. We used Open ID Connect to enable SSO between the two. This involved setting up an Application in Azure AD B2C, enabling the read scope on that application, and configuring the connection in Salesforce using that application, a custom policy returning a JWT token, and a dummy User Info endpoint.

Check out this answer for exact steps on how we set up Open ID Connect: https://stackoverflow.com/a/61639332/13484109