Power Platform Community Forum Thread Details

How to customize SAML Payload for Power Pages

I am trying to connect the out of the box Power Pages SAML Provider to use Login.gov as an Identity provider.

Login.gov requires specifically formatted SAML Payload that Power Pages does not provide by default, mainly regarding the AuthNContextClass attribute.

I do not see any way to format the SAML Payload using published methods from Microsoft in the Power Pages documentation. The redirect is coming from .../Account/Login/ExternalLogin when the signin form posts.

To add to this, I have seen exactly one site that is accomplishing the connection to Login.gov and decoding their SAML payload it has been customized to fit the requirements from Login.gov:
https://oscportal.powerappsportals.us/Account/Login/Register?returnUrl=%2F

I have been unable to determine how exactly the payload is being customized - not finding any Azure B2C as a middle man, and no javascript that would do this. There is zero documentation available from Microsoft in how to accomplishing this.

Just curious if anyone has had any success in this area and if they could share their insight

Categories:

Power Apps portals

@Cadia Stands

You're absolutely right — integrating Login.gov as a SAML identity provider with Power Pages is not straightforward due to Login.gov’s strict SAML requirements, particularly around the AuthnContextClassRef attribute.

🔍 Why This Happens

Power Pages' out-of-the-box SAML 2.0 provider setup does not expose a way to customize the SAML request payload, including the AuthnContextClassRef, which Login.gov requires to be explicitly set (e.g., urn:oasis:names:tc:SAML:2.0:ac:classes:IAL2).

✅ What You Can Do

1. Use Azure AD B2C as a Proxy (Recommended)

Microsoft officially supports using Azure AD B2C with custom policies (IEF) to integrate with Login.gov. This allows you to:

Fully customize the SAML request.
Set the required AuthnContextClassRef.
Handle encryption and signing requirements.

Once configured, you can connect Power Pages to Azure AD B2C (which then federates to Login.gov).

Microsoft’s GitHub repo has a Login.gov + Azure AD B2C sample .

2. Direct Integration with Power Pages (Not Currently Supported)

As of now, Power Pages does not support customizing the SAML AuthN request directly. The /Account/Login/ExternalLogin endpoint is managed internally and does not allow injection or override of the AuthnContextClassRef.

What That One Working Site Might Be Doing

The site you referenced (oscportal.powerappsportals.us) may be:

Using Azure AD B2C as a proxy, but hiding it well.
Using a custom external identity provider with a reverse proxy or middleware.
Possibly using custom JavaScript or server-side logic to redirect to a pre-built SAML request (though this is unlikely without Azure B2C or a custom IdP).