Share via

Unable to configure Custom Domains on B2C so cannot set the correct Application URI. Causes mismatch on SAML ACS lookup

Kev IPP 1 Reputation point
2020-02-13T17:30:07.133+00:00

I have created a SignIn Customer Policy based upon the examples for LinkedIn and SAML that I have been able to find. I have correctly configured my SAML based app and it is redirecting to b2c site as expected to start the UserJourney. However currently it is failing the initial stages of Authentication with the following error:

The specified error: 

              "Key": "Exception",
              "Value": {
                "Kind": "Handled",
                "HResult": "80131500",
                "Message": "The specified assertion consumer service URL https://test.xxx.com/api/1.0/sso/12345678/acs/ is invalid.",
                "Data": {
                  "IsPolicySpecificError": false
                }

Note : The specified endpoint above does exist and is the ACS endpoint.
We have a correctly running SSO setup which is connecting to the Azure AD service and correctly connecting via the same App. This is using the same URL but with a different unique ID i.e.

URL https://test.xxx.com/api/1.0/sso/AABBCCDDEEFF/acs/

The problem is to do with the Issuer value. By default we send the apps metadata URL as the Issuer. This does not match the Application URI and it is not possible to set this to any domain except the B2C domain. Currently unlike Azure AD where you can set Custom Domains and as such correctly allows our app to auth using SSO.

Why can you not set up Custom Domains as you can on Azure AD, from reading the docs they are based on the same technology, seems a limitation to me.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,615 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. FrankHu-MSFT 976 Reputation points
    2020-02-14T05:09:13.517+00:00

    @Kev IPP thanks for letting us know your feedback on this issue. If you're interested in this feature please submit it under the feedback section here : https://feedback.azure.com/forums/169401-azure-active-directory

    And if there's enough community support the product team will look into implementing this into the roadmap for the future.

    Please remember to mark an answer as answered, otherwise please let us know if there are any other concerns within the scope of this Q&A Thread.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.