azure ad b2c - AD B2C SAML encryption error - Sequence contains no elements

Question

I have followed the Microsoft documentation to encrypt the Assertions, but it gives me some error.

https://docs.microsoft.com/en-us/azure/active-directory-b2c/connect-with-saml-service-providers#enable-encrypted-assertions-optional

MetaData:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://samltestapp2.azurewebsites.net">
    <SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration=" urn:oasis:names:tc:SAML:2.0:protocol">
        <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
        <AssertionConsumerService index="0" isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://samltestapp2.azurewebsites.net/SP/AssertionConsumer"/>
        <KeyDescriptor use="encryption">
            <KeyInfo xmlns="https://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>MIIDODCCAiCgAwIBAgIQEaP5fKYAQ6VBxbBPDi/IVDANBgkqhkiG9w0BAQsFADAv MS0wKwYDVQQDDCRlbmNyeXB0aW9uLm9kZmxkZW1vNS5vbm1pY3Jvc29mdC5jb20w HhcNMjEwMTE5MDQ0NDQzWhcNMjIwMTE5MDQ1NDQzWjAvMS0wKwYDVQQDDCRlbmNy eXB0aW9uLm9kZmxkZW1vNS5vbm1pY3Jvc29mdC5jb20wggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQClIee7OMFzTsZ3eDdTpDJOB0qsZCiGug3DtOoBrZsY pG6SNI1z7hPWiMJBJWaGrSPF/FcKS/RaOZi+G/Ht7RR+4qTzY2toqD7R7HYL8fyg lNx9d0n2RDRlgIHo9vtopw9fZaiEsvY3DiWWed9EvhQPyn9ewiZBWDLIlyOFT6oo jTiz6/xMneI96l8A7IQ+TAQbH2oUTaDTHksehmeVk3ExeWvgmfTzE812kzRMmWeP awlLJrCtRUu+NvxfDcmbv7bzxRfyDmM8gw7MIqELkIG4rNfFn0VvDnA7+oECm2DQ LKZgJZkAHJ+UWbKGj39CqOy6vkjA20pPtlhob5hp2qv1AgMBAAGjUDBOMA4GA1Ud DwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwEwHQYDVR0O BBYEFC1rpD8SwvSUXRvLJY072Vtf21LfMA0GCSqGSIb3DQEBCwUAA4IBAQBmD7MU vVXyX7nZ3h1rvhQUI4ryd3DUNdWZA2frdPm8xx6WQfEJKlYLKsRErcaCFXc9CGFK 2Ijfb9D0NxYo9JNJd9c2j2sDgZyxud5zn9xmSb3VZ42E+9y8NQz+UCYl6xlRIwwh vIdRpsVhmcXjcpW9Sos2kZ5wOnnROp6VwYTKSVDJyJYXPEz8is7Hhv5a7gsDW2pO GQAZXKxuH10IIpudxBszdwRGt3O945hyGsJNySljvvwoPiBwtZbSQbjpzmMGkFU9 BetAjN25+kSa8CNjv2wbLbs4boY/SmVTxMDHQpZ6k9fdms2Rdidl0o6BKKtjdkeE fH/F9XGJ2EbQKNwD</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
    </SPSSODescriptor>
</EntityDescriptor>

Relying party file:

 <RelyingParty>
    <DefaultUserJourney ReferenceId="SignUpOrSignInSAML" />
     <UserJourneyBehaviors>
     <JourneyInsights TelemetryEngine="ApplicationInsights" InstrumentationKey="xxxxxxxxxxxxxx" DeveloperMode="true" ClientEnabled="false" ServerEnabled="true" TelemetryVersion="1.0.0" />
    <ScriptExecution>Allow</ScriptExecution>
  </UserJourneyBehaviors>
    <TechnicalProfile Id="PolicyProfile">
      <DisplayName>PolicyProfile</DisplayName>
      <Protocol Name="SAML2"/>
      <Metadata>
        <Item Key="PartnerEntity">{Settings:MetadataURL}</Item>
        <Item Key="ResponsesSigned">false</Item>
        <Item Key="WantsEncryptedAssertions">true</Item>
        <Item Key="IdpInitiatedProfileEnabled">true</Item>        
      </Metadata>     
      <OutputClaims>                
        <OutputClaim ClaimTypeReferenceId="givenName" PartnerClaimType="givenName" />
        <OutputClaim ClaimTypeReferenceId="surname" PartnerClaimType="surname" />
        <OutputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="sub"/>       
      </OutputClaims>
      <SubjectNamingInfo ClaimType="sub" />
    </TechnicalProfile>
  </RelyingParty>

Saml2AssertionIssuer:

<TechnicalProfile Id="Saml2AssertionIssuer">
    <DisplayName>Token Issuer</DisplayName>
    <Protocol Name="SAML2"/>
    <OutputTokenFormat>SAML2</OutputTokenFormat>
    <Metadata>
        <!-- The issuer contains the policy name; it should be the same name as configured in the relying party application. B2C_1A_signup_signin_SAML is used below. -->
        <Item Key="IssuerUri">{Settings:SignupSignInSAMLIssuerURI}</Item>
    </Metadata>
    <CryptographicKeys>
        <Key Id="MetadataSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>
        <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>
        <Key Id="SamlMessageSigning" StorageReferenceId="B2C_1A_SamlIdpCert"/>
        <Key Id="SamlAssertionDecryption" StorageReferenceId="B2C_1A_SamlIdpCertEnc"/>
    </CryptographicKeys>
    <InputClaims/>
    <OutputClaims/>
    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-issuer"/>
</TechnicalProfile>

I am getting the below error. It is working properly without encryption, but if I enable the encryption getting that issue. Can someone suggest me a way to resolve this error.

question from:https://stackoverflow.com/questions/65894431/ad-b2c-saml-encryption-error-sequence-contains-no-elements

Answer 1

Thanks @Saravana. WantsSignedAssertion indicates whether the technical profile requires all incoming assertions to be signed and SAML Response Assertion elements received by the relying party application must be signed. B2C requires both, the message and the assertion to be signed. If only assertion is signed, then it fails, and B2C does not accept it.

Please verify with the SAML decoder tool and see if both the assertion and the message are signed or not.

Please let us know if you need more help.

Reference:- https://github.com/azure-ad-b2c/saml-sp/blob/master/saml-rp-spec.md