Providing a generic PartnerEntity for SAML federation of SAML in Azure B2C

Question

We have a SaaS application where our IDP is Azure B2C.

We are using Azure B2C to allow enterprise SSO with external thru federation (SAML). Using B2C it required to setup a ClaimsProvider per enterprise company. This does expose the PartnerEntity.

Example (Claims technical profile):

<TechnicalProfile Id="Contoso-SAML2">
      <DisplayName>Contooso</DisplayName>
      <Description>Login with your AD FS account</Description>
      <Protocol Name="SAML2"/>
      <Metadata>
        <Item Key="RequestsSigned">false</Item>
        <Item Key="ResponsesSigned">false</Item>
        <Item Key="WantsEncryptedAssertions">false</Item>
        <Item Key="PartnerEntity">https://login.microsoftonline.com/..tenantid../federationmetadata/2007-06/federationmetadata.xml?appid=..appid..</Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSigningCert"/>
      </CryptographicKeys>
      ...
    </TechnicalProfile>

We are trying to attempt creating a generic federation policy where the partner entity is generic - not adding one technical profile per external federation partner.

Example:

<ClaimsProvider>
  <DisplayName>SAML</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="Contoso-SAML2">
      <DisplayName>SAML</DisplayName>
      <Description>Login with your AD FS account</Description>
      <Protocol Name="SAML2"/>
      <Metadata>
        <Item Key="RequestsSigned">false</Item>
        <Item Key="ResponsesSigned">false</Item>
        <Item Key="WantsEncryptedAssertions">false</Item>
        <Item Key="PartnerEntity"> what to add here for generic ??? </Item>
      </Metadata>
      <CryptographicKeys>
        <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSigningCert"/>
      </CryptographicKeys>
      ...
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

how to configure the what to add here for generic ??? ?

Answer 1

If you want to support SAML federation to any Entra ID tenant using a single technical profile then the entity URL is https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml (taken from here).

If you want to support SAML federation to any arbitrary SAML IdP using a single technical profile then unfortunately you can't.

Each identity provider will have its own SAML metadata endpoint, that's what you're configuring in PartnerEntity. If all your IdPs have the same metadata endpoint then you only have one IdP and so you only need one technical profile.

If you want to define a common technical profile that's shared by all IdPs and want to be able to add new technical profiles for each IdP that just set the PartnerEntity then you can use IncludeTechnicalProfile:

<TechnicalProfile Id="Idp-Saml-Base">
  <DisplayName>Common</DisplayName>
  <Protocol Name="SAML2"/>
  <Metadata>
    <Item Key="RequestsSigned">false</Item>
    <Item Key="ResponsesSigned">false</Item>
    <Item Key="WantsEncryptedAssertions">false</Item>
  </Metadata>
  <CryptographicKeys>
    <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SAMLSigningCert"/>
  </CryptographicKeys>
  ...
</TechnicalProfile>

<TechnicalProfile Id="Idp-Contoso">
  <DisplayName>Contoso</DisplayName>
  <Description>Login with your AD FS account</Description>
  <Metadata>
    <Item Key="PartnerEntity">https://login.microsoftonline.com/..tenantid../federationmetadata/2007-06/federationmetadata.xml?appid=..appid..</Item>
  </Metadata>
  <IncludeTechnicalProfile ReferenceId="Idp-Saml-Base" />
</TechnicalProfile>