How does IDP Initated OpenID connect SSO with external IDP like okta using Azure AD B2C works?

Yashwanth Reddy Yenugu 46 Reputation points
2020-06-03T13:41:53.363+00:00

For SP initiated SSO

  • User navigates to the service provider which initiates OIDC request to B2C with nonce and state in url parameters.
  • Based on the domainHint passed, B2C redirects the user to their IDP (okta/salesforce etc..)
  • Upon successful authentication, user gets redirected to B2C with id_token.
  • B2C creates the user in AD if not exists and redirects to SP.
  • SP validates the response with the nonce received against the nonce generated while initiating SSO and logs in the user.

How about IDP initiated SSO?

My Understanding

  • After successful authentication to IDP, user clicks on the connected app which redirects him to SP login URL.
  • SP initiated flow starts from here.

Is my understanding correct?

This is how IDP-initiated SAML SSO works: (Without B2C)
After successful authentication to IDP, user clicks on the connected app, which sends the SAML response to the ACS url configured in SP.

How does OpenID IDP-initiated SSO works using Azure AD B2C?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,837 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,551 Reputation points
    2020-06-05T08:19:08.92+00:00

    @Yashwanth Reddy Yenugu ,

    In simpler terms:

    SP initiated: User accesses the application. The application constructs the request (in most cases by using MSAL) and redirects the user to B2C.

    IDP initiated : User directly goes to the IDP authentication endpoint and then access desired federated application by providing required parameters, such as client_id, state, scope etc. In case of B2C, you can do the IDP initiated authentication by using the "Run User Flow" link.

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.