Adding WantAssertionsSigned to NAM Generated Metadata

I'm trying to federate with an Azure B2C instance. In this case, Azure is the IdP and NAM is the SP, so I'm configuring the Azure IdP as a SAML 2.0 Identity Provider in NAM.

One issue I am seeing is that Azure won't sign the SAML Assertion unless the metadata contains WantAssertionSigned="true" in the SPSSODescriptor.  Per Microsoft doc here:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider-options?pivots=b2c-custom-policy#check-the-saml-assertion-signature

When your application expects the SAML assertion section to be signed, make sure the SAML service provider set the WantAssertionsSigned to true. If it's set to false or doesn't exist, the assertion section won't be signed.

I don't see any way to make NAM generate metadata with that setting.  Is there an option or other hack that will allow this?

This is NAM 5.0 SP4.

Thanks.

Matt

  • 0  

    Hi!

    I never federated with Azure B2C as IdP but can you upload metadata as a text file, so you can manually fix whatever needed?

    Please keep in mind that manually modifying metadata will break metadata signature.

    So if Azure complains, try removing metadata signature element (Signature element just below EntityDescriptor). If Azure want metadata signed, you can resign it either with xmlsectool or some online utilities like https://www.samltool.com/sign_metadata.php

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0   in reply to   
    I never federated with Azure B2C as IdP but can you upload metadata as a text file, so you can manually fix whatever needed?

    That's precisely what we did and we got it working.  But the vendor I'm working with would rather have it directly refreshed from NAM's metadata.  They don't want to leave the manual fix, which I understand.  I do have a support case open as well.

    Matt

  • Verified Answer

    +1   in reply to   

    So good news! You can do this, at least at a global level, in NAM. Thanks to Al in support for pointing it out.  It is in the IdP general settings under Identity Consumer.  There is a check box, "Require Signed Assertions". If you check that box, WantAssertionsSigned="true" gets added to the SPSSODescriptor in the NAM Metadata.  I did search the docs myself but never did turn this up (probably because I was searching the specific metadata terms).  It is in section 2.8.2 of the NAM 5.0 Admin guide under "Configuring General Provider Settings."  Specifically:

    Require Signed Assertions: Specifies that all SAML assertions received by the service provider are signed by the issuing SAML authority. The signing authority uses a key pair to sign SAML data sent to this trusted provider.

    So it doesn't clearly explain what it does, which is why this is hard to find.

    Yet another case where better technical documentation would avoid a support case.

    It would also be nice if this could be controlled on a per provider configuration.

    Matt

  • 0   in reply to   

    I should also point out that I think this is a BUG in NAM.  If that box is NOT checked, then NAM should ACCEPT a SAML assertion w/o it being signed.  NAM will NOT accept an unsigned SAML assertion by default.  NAM requires the SAML Assertion to be signed even though that check box is NOT checked and WantAssertionsSigned="true" is NOT in the metadata.  Your only options are to check that box so that the Identity Provider signs the assertion OR use the "SAML2 AVOID SIGN AND VALIDATE ASSERTIONS TRUSTED PROVIDERS" setting to tell NAM to accept an unsigned assertion.

    At the very least, very very confusing.  I wasted a lot of time figuring this out.

    Matt