Question 222903 in Azure Question posted in
The official documentation to get you started can be found here.

Combined MFA using 'TOTP' and 'Email' failing in Azure B2C

I’m trying to enable combined MFA options for Azure B2C via custom policies but I’m receiving error while trying to do so. I’ve used https://github.com/azure-ad-b2c/samples/blob/master/policies/mfa-email-or-phone/policy/SignUpOrSignin_PhoneOrEmailMFA.xml as my starting point.

I’m getting error

Profile 'Jwt Issuer' in policy 'B2C_1A_signup_signin_saml' in tenant 'in group devb2c.xxxx.com' does not contain the required cryptographic key 'SamlAssertionSigning'

Please find below my custom policies for B2C_1A_TRUSTFRAMEWORKEXTENSIONS.xml

<OrchestrationStep Order="7" Type="ClaimsExchange">
  <Preconditions>
    <Precondition Type="ClaimsExist" ExecuteActionsIf="true">
      <Value>extension_mfaByPhoneOrEmail</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="SelfAsserted-Select-MFA-Method" TechnicalProfileReferenceId="SelfAsserted-Select-MFA-Method" />
  </ClaimsExchanges>
</OrchestrationStep>

<OrchestrationStep Order="8" Type="InvokeSubJourney">
  <Preconditions>
    <!--Sample: If the preferred MFA method is not 'phone' skip this orchestration step-->
    <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
      <Value>extension_mfaByPhoneOrEmail</Value>
      <Value>totp</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <JourneyList>
    <Candidate SubJourneyReferenceId="TotpFactor-Input" />
  </JourneyList>
</OrchestrationStep>

<OrchestrationStep Order="9" Type="InvokeSubJourney">
  <Preconditions>
    <!--Sample: If the preferred MFA method is not 'phone' skip this orchestration step-->
    <Precondition Type="ClaimEquals" ExecuteActionsIf="false">
      <Value>extension_mfaByPhoneOrEmail</Value>
      <Value>email</Value>
      <Action>SkipThisOrchestrationStep</Action>
    </Precondition>
  </Preconditions>
  <ClaimsExchanges>
    <ClaimsExchange Id="Email-Verify" TechnicalProfileReferenceId="EmailVerifyOnSignIn" />
  </ClaimsExchanges>
</OrchestrationStep>

I’ve used https://github.com/azure-ad-b2c/samples/blob/master/policies/mfa-email-or-phone/policy/SignUpOrSignin_PhoneOrEmailMFA.xml as my starting point which is working as expected just tried to make changes on

<ClaimType Id="extension_mfaByPhoneOrEmail">
  <DisplayName>Please select your preferred MFA method</DisplayName>
  <DataType>string</DataType>
  <UserInputType>RadioSingleSelect</UserInputType>
  <Restriction>
    <Enumeration Text="TOTP " Value="totp" SelectByDefault="true" />
    <Enumeration Text="Email " Value="email" SelectByDefault="false" />   
  </Restriction>
</ClaimType>

I’m getting screen to enter my TOTP but in next step it fails with the message i.e. "Profile ‘Jwt Issuer’ in policy ‘B2C_1A_signup_signin_saml’ in tenant ‘in group devb2c.xxxx.com’ does not contain the required cryptographic key ‘SamlAssertionSigning’"

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I was able to resolve this by adding SamlAssertionSigning and SamlAssertionSigning in the Jwtissuer Technical profile.

    <TechnicalProfile Id="JwtIssuer">
  <DisplayName>JWT Issuer</DisplayName>
  <Protocol Name="None" />
  <OutputTokenFormat>JWT</OutputTokenFormat>
  <Metadata>
    <Item Key="client_id">{service:te}</Item>
    <Item Key="issuer_refresh_token_user_identity_claim_type">objectId</Item>
    <Item Key="SendTokenResponseBodyWithJsonNumbers">true</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="issuer_secret" StorageReferenceId="B2C_1A_TokenSigningKeyContainer" />
    <Key Id="issuer_refresh_token_key" StorageReferenceId="B2C_1A_TokenEncryptionKeyContainer" />
    <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlIdpCert" />
    <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlIdpCert" />
  </CryptographicKeys>
  <InputClaims />
  <OutputClaims />
</TechnicalProfile>

  2. 0

    If you have a SAML authentication journey then you need to issue a SAML token at the end of it, not a JWT. The error is occurring because a JWT token issuer technical profile doesn’t have the necessary elements to issue a SAML token.

    Don’t add the SAML keys to the JWT issuer technnical profile.

    Instead, set up a SAML token issuer technical profile, and use that as the last step of your SAML UserJourney instead of the JwtIssuer you already have:

    <TechnicalProfile Id="Saml2AssertionIssuer">
  <DisplayName>Token Issuer</DisplayName>
  <Protocol Name="SAML2"/>
  <OutputTokenFormat>SAML2</OutputTokenFormat>
  <Metadata>
    <Item Key="IssuerUri">https://tenant-name.b2clogin.com/tenant-name.onmicrosoft.com/B2C_1A_signup_signin_SAML</Item>
    <Item Key="TokenNotBeforeSkewInSeconds">600</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="MetadataSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>
    <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>
  </CryptographicKeys>
  <InputClaims/>
  <OutputClaims/>
  <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer"/>
</TechnicalProfile>

    The Microsoft docs also have a full guide on how to set up B2C to support SAML service providers which may be helpful.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search