Context:
We have 4 different apps under the same domain, each of these apps has its own app registration on Azure B2C.
We want to provide sso so if an user is authenticated on app1.contoso.com and goes to app2.contoso.com we should automatically authenticate this user.
Our frontend are react apps that use msal.js so our flow is:
- Try to get a token using acquireTokenSilent
- If #1 fails, we try using ssoSilent (that will reuse the session from the other apps)
- If #2 fails, we then force a loginRedirect
Some of our customers they use OpenId so the configuration works perfectly but new customers are using SAML but these ones beside we can authenticate and use our app without issues the ssoSilent call always fail forcing a loginRedirect call.
Is there a way to provide the same behavior we have with openid with SAML?
Below is my custom policy configuration:
// OpenID
<ClaimsProvider>
<Domain>okta.com</Domain>
<DisplayName>Okta</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Okta-OIDC">
<DisplayName>Okta Account</DisplayName>
<Protocol Name="OpenIdConnect" />
<Metadata>
<Item Key="ProviderName">https://trial-test.okta.com/oauth2/default</Item>
<Item Key="METADATA">https://trial-test.okta.com/oauth2/default/.well-known/openid-configuration</Item>
<Item Key="response_types">code</Item>
<Item Key="response_mode">form_post</Item>
<Item Key="scope">openid profile email</Item>
<Item Key="HttpBinding">POST</Item>
<Item Key="UsePolicyInRedirectUri">0</Item>
<Item Key="client_id">test</Item>
</Metadata>
<CryptographicKeys>
<Key Id="client_secret" StorageReferenceId="Test" />
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="okta.com" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="sub" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-SocialLogin" />
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
// SAML
<ClaimsProvider>
<DisplayName>Okta SAML Provider</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="Okta-SamlProvider">
<DisplayName>Okta SAML Provider</DisplayName>
<Description>Login with your SAML identity provider account</Description>
<Protocol Name="SAML2"/>
<Metadata>
<Item Key="PartnerEntity">https://trial-test.okta.com/app/test/sso/saml/metadata</Item>
</Metadata>
<CryptographicKeys>
<Key Id="SamlMessageSigning" StorageReferenceId="test"/>
</CryptographicKeys>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="assertionSubjectName" />
<OutputClaim ClaimTypeReferenceId="identityProvider" DefaultValue="http://www.okta.com/test" />
<OutputClaim ClaimTypeReferenceId="authenticationSource" DefaultValue="socialIdpAuthentication" />
<OutputClaim ClaimTypeReferenceId="displayName" PartnerClaimType="name" />
<OutputClaim ClaimTypeReferenceId="email" PartnerClaimType="assertionSubjectName" />
</OutputClaims>
<OutputClaimsTransformations>
<OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName"/>
<OutputClaimsTransformation ReferenceId="CreateUserPrincipalName"/>
<OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId"/>
<OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId"/>
</OutputClaimsTransformations>
<UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp"/>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
I tried a lot of different configurations without any success.