set up of custom policy in B2C to SSO using MS Entra as a SAML Idp

I have an application linked to Ms Entra, I have this application (App1) set up as Enterprise Application to use SSO. This application has not many users (3). It is meant to use SAML.

Some settings: certificates list of claims returned by Entra

On the other hand, I have a B2C tenant that is meant to use this MS Entra Application for SSO and I need to retrieve the email address that belongs to the sign in user.

I have copied the certificate from MS Entra and added it to SamlAssertionSigning metadata (done this in B2C through portal), and the other certificate SamlMessageSigning is a new one.

The main problem is that I can't grab the info that is coming from the SAML assertion (Entra application)

I have the following code:

 <TechnicalProfile Id="MsEntraId-SAML2">
                    <DisplayName>Salesforce</DisplayName>
                    <Description>ENtra SAML</Description>
                    <Protocol Name="SAML2" />
                    <Metadata>
                        <!-- <Item Key="RequestsSigned">false</Item> -->
                        <Item Key="ResponsesSigned">false</Item>
                        <Item Key="WantsEncryptedAssertions">false</Item>
                        <Item Key="WantsSignedAssertions">false</Item>
                        <Item Key="PartnerEntity">https://login.microsoftonline.com/<guidhere>/federationmetadata/2007-06/federationmetadata.xml</Item>
                    </Metadata>
                    <CryptographicKeys>
                                <Key Id="SamlAssertionSigning" StorageReferenceId="B2C_1A_EntraMs"/>
 
                        <Key Id="SamlMessageSigning"
                             StorageReferenceId="B2C_1A_MsEntraSAMLCert" />
                    </CryptographicKeys>
                    <OutputClaims>
                        <OutputClaim ClaimTypeReferenceId="UserPrincipalName"/>
                        <OutputClaim ClaimTypeReferenceId="userPrincipalName"/>
                        <OutputClaim ClaimTypeReferenceId="Email" Required="true" PartnerClaimType="Email"/>
                        <OutputClaim ClaimTypeReferenceId="objectid" PartnerClaimType="Subject"/>
                        <OutputClaim ClaimTypeReferenceId="issuerUserId"
                                     PartnerClaimType="userprincipalname" DefaultValue="not found"/>
                        <OutputClaim ClaimTypeReferenceId="givenName"
                                     PartnerClaimType="user.givenname" />
                        <OutputClaim ClaimTypeReferenceId="surname"
                                     PartnerClaimType="family_name" />
                        <OutputClaim ClaimTypeReferenceId="email"
                                     PartnerClaimType="user.mail" />

                        <OutputClaim ClaimTypeReferenceId="displayName"
                                     PartnerClaimType="username" />
                        <OutputClaim ClaimTypeReferenceId="authenticationSource"
                                     DefaultValue="socialIdpAuthentication" />
                        <OutputClaim ClaimTypeReferenceId="identityProvider"
                                     DefaultValue="entra.com" />
                    </OutputClaims>
                    <OutputClaimsTransformations>
                        <OutputClaimsTransformation ReferenceId="CreateRandomUPNUserName" />
                        <OutputClaimsTransformation ReferenceId="CreateUserPrincipalName" />
                        <OutputClaimsTransformation ReferenceId="CreateAlternativeSecurityId" />
                        <OutputClaimsTransformation ReferenceId="CreateSubjectClaimFromAlternativeSecurityId" />
                    </OutputClaimsTransformations>
                    <UseTechnicalProfileForSessionManagement ReferenceId="SM-Saml-idp" />
                </TechnicalProfile>

and then I have the following in the relying party:

<RelyingParty>
        <DefaultUserJourney ReferenceId="SignUpOrSignInMsEntra" />
        <UserJourneyBehaviors>
            <ScriptExecution>Allow</ScriptExecution>
        </UserJourneyBehaviors>
        <!-- <Endpoints> -->
        <!-- points to refresh token journey when app makes refresh token request -->
        <!-- <Endpoint Id="Token" UserJourneyReferenceId="RedeemRefreshToken" /> -->
        <!-- </Endpoints> -->
        <TechnicalProfile Id="PolicyProfile">
            <DisplayName>PolicyProfile</DisplayName>
            <Protocol Name="OpenIdConnect" />
            <OutputClaims>
             <OutputClaim ClaimTypeReferenceId="userprincipalname" PartnerClaimType="UserPrincipalName"/>
                        <OutputClaim ClaimTypeReferenceId="Email"/>
                        <OutputClaim ClaimTypeReferenceId="objectid"/>
                <OutputClaim ClaimTypeReferenceId="issuerUserId"/>
                <OutputClaim ClaimTypeReferenceId="displayName"/>
                              <OutputClaim ClaimTypeReferenceId="userPrincipalName"/>
<OutputClaim ClaimTypeReferenceId="userPrincipalName"/>
                <OutputClaim ClaimTypeReferenceId="givenName" />
                <OutputClaim ClaimTypeReferenceId="surname" />
                <OutputClaim ClaimTypeReferenceId="email"
                             PartnerClaimType="user.mail" />
                <OutputClaim ClaimTypeReferenceId="objectId"
                             PartnerClaimType="sub" />
                <OutputClaim ClaimTypeReferenceId="tenantId"
                             AlwaysUseDefaultValue="true"
                             DefaultValue="{Policy:TenantObjectId}" />
                <OutputClaim ClaimTypeReferenceId="objectId" PartnerClaimType="sub" />
            </OutputClaims>
            <SubjectNamingInfo ClaimType="sub" />
        </TechnicalProfile>
    </RelyingParty>
            

so far, email is not coming back, userprincipalName all of them come from B2C, and the rest that are linked to Entra are not appearing.

the claims were not following the expected name, this will fix it for email address