How to managed B2B customers with their own OIDC Identity Provider?

Question

I'm exploring identity options for a B2B SaaS application where each tenant in the SaaS application can bring their own OIDC identity provider. External ID in external tenants might be an option, but I'm struggling with two points:

1. Whilst prototyping, I can't seem to get any Custom OIDC provider visible in the login page. I've created an app registration in a different Azure Tenant and used that to populate the OIDC information for a custom OIDC IdP, but it simply doesn't display as an option once the User Flow has rendered. Note that I have assigned it to the user flow and configured it as per the guidance. Note that I have also added a custom OIDC provider for MS Social logins that does render as expected.
2. Assuming I can get it to render, is there a way of reducing the visibility of SSO options on the login screen? Lets say I have 500 B2B Tenants in my SaaS app, and they all bring their own IdP; I don't want to list all of the IdP options to any single client. Is there a way of obtaining a deep link to a specific SSO option that my SaaS app can redirect to the correct IdP for the correct client, or maybe a way of hiding links based on "something" coming from the sign on request?

Answer 1

Hello @Drew Williams,
I understand that you are working on configuring identity options for a B2B SaaS application, where each tenant can bring their own OIDC identity provider. This allows each tenant to set up a custom OpenID Connect (OIDC) provider. However, you're encountering some challenges.

Regarding the visibility of the custom OIDC provider on the login page, ensure that the app registration in the different Azure tenants is correctly configured and that the OIDC information is properly populated. If the custom OIDC provider still doesn't appear, I recommend double-checking the user flow or custom policies settings and confirming that the provider is correctly assigned.

To configure the OIDC Identity Provider (IdP) through user flows or custom policies, I recommend you refer to these documents: https://learn.microsoft.com/en-us/azure/active-directory-b2c/identity-provider-generic-openid-connect?pivots=b2c-user-flow
https://learn.microsoft.com/en-us/azure/active-directory-b2c/direct-signin?pivots=b2c-custom-policy#set-up-direct-sign-in-using-azure-active-directory-b2c

Regarding to reduce the visibility of SSO options and directly redirect users to a specific Identity Provider (IdP) in your Azure AD B2C implementation, you need to configure the IdP using user flows or custom policies within Azure. However, Azure does not allow you to hide IdPs for a particular tenant, nor does it support direct redirection to a specific IdP. B2C mechanism works based on the IDP chosen by the user for authentication but not directly with the domain used for authentication. Since Microsoft Azure AD B2C can provide all the IDP's that regards to the application and do not have an option to detect the user before providing the UPN to redirect to the specific IDP's, I would suggest in checking on the application side. If your application supports a mechanism where it can redirect the user based on the domain which can help you in providing specific IDP's to the user for authentication.
Do let us know if you any further queries.