Share via

External Identities SAML Federation not working for Entra to Entra in External Tenant

Michal Kudanowski 15 Reputation points
2025-12-15T13:41:02.5+00:00

Hello, hello

Is it possible to establish SAML based federation from our Microsoft External Tenant - External Identities to our Partner Microsoft Main Tenant with self sign up?

According to every documentation I went through and few Q&A posts it should be.

But if I add "New SAML/WS-Fed IdP" with "Issuer URI" pointing to "https://sts.windows.net/<partner-tenant-id>/" it disappears from User Flow login page?

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michal Kudanowski 15 Reputation points
    2025-12-18T12:13:40.4866667+00:00

    so I have access to both tenants:

    • Partners tenant - main tenant
    • Company tenant - our external tenant

    Partner main tenant:

    1. I've created new enterprise application with option: "Integrate any other application you don’t find in the gallery (Non-gallery)"
    2. I've enabled "SAML-based Sign-on"
    3. For "Basic SAML Configuration" I've set up:
      1. Identifier (Entity ID) [which if not overridden should be set as audience]: https://login.microsoftonline.com/<company-external-tenant-id>/
      2. Reply URL (Assertion Consumer Service URL): https://<company-external-tenant-id>.ciamlogin.com/login.srf
    4. For "Attributes & Claims" I've set up:
      1. New "NameID Format" with fix value "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" has been added.
      2. "Append application ID to issuer" has been enabled.
    5. Partner domain is MS verified but just to be sure TXT DNS record has been added with value:
      "DirectFedAuthUrl=https://login.microsoftonline.com/<partner-main-tenant-id>/saml2"
    6. "Test single sign-on" is passing
    7. I've downloaded "Federation Metadata XML" file to "partner-sso.xml" file.

    Company external tenant:

    1. I've create app registration:
      1. "WEB SSO - Single tenant":
        1. Supported account types: Accounts in this organizational directory only (Sonata One NonProd Customers only - Single tenant)
        2. Redirect URI: Web -> https://jwt.ms
        1. "WEB SSO - Multitenant":
          1. Supported account types: Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)
          2. Redirect URI: Web -> https://jwt.ms
    2. I've added SAML configuration through Azure Portal: "External identities" -> "All identity providers" -> "Custom" -> "Add new"
      1. Display name: Partner name
      2. Identity provider protocol: SAML
      3. Domain name of federating IdP: <partner-domain> (MS Verified)
      4. Select a method for populating metadata: Parse metadata file
      5. Metadata file: "partner-sso.xml" generated in previous step
      6. Issuer URI (populate automatically from file): https://sts.windows.net/<partner-main-tenant-id>/
      7. Passive authentication endpoint (populate automatically from file): https://login.microsoftonline.com/<partner-main-tenant-id>/saml2
      8. Certificate (populate automatically from file): <certificate>
      9. After pressing "Save" I got prompt: "This domain is Microsoft Entra ID verified. You will need to configure cross-tenant access inbound settings for users to sign in with SAML/Ws-Fed identity provider instead of Microsoft Entra ID." which is weird because Cross-tenant collaboration is not available in External tenant.
    3. In "Users flows" I've created new "Company-user-flow" for: "Sign up and sign in"
      1. Identity providers:
        1. Email accounts: Email with password
        2. Other Identity Providers: "Saml/Ws-Fed" with <partner-name>
      2. User attributes - left unchanged (default)
      3. Custom authentication extensions - left unchanged ("None selected" for all)
      4. Applications. I've added two created in step 1:
        1. WEB SSO - Single tenant
        2. WEB SSO - Multitenant

    After running user flow "Run user flow" for both apps I am getting same result:

    • No additional button with new Sign In options available
    • After providing email address: my-email@<partner.domain> I've received message: "We couldn't find an account with this email address."
    • After selecting "No account? Create one" and providing same address, code has been sent.
    • At any point I haven't been redirected to partner branded login page, at all time I had our company branding displayed
    • If I upload same file with "Issuer URI" pointing different url (non Microsoft), additional Sign in button appears and after selecting it I am redirected to external IdP

    Was this answer helpful?

  2. SUNOJ KUMAR YELURU 18,251 Reputation points MVP Volunteer Moderator
    2025-12-16T13:12:14.9433333+00:00

    Hello @Michal Kudanowski,

    Yes, it is possible to establish SAML-based federation from your Microsoft External Tenant to your partner’s Microsoft Main Tenant with self-sign-up. To do this, you need to follow specific steps to configure the SAML or WS-Fed identity provider in your external tenant. After setting up the federation, you must add the identity provider to a user flow to make it available on the sign-in pages. This involves signing into the Microsoft Entra admin center, selecting the appropriate user flow, and adding the identity provider under the settings for identity providers.

    However, if you notice that the identity provider disappears from the user flow login page after adding it, ensure that you have correctly configured the required attributes such as the Issuer URI and the passive authentication endpoint. It may take some time (5-10 minutes) for the federation policy to take effect, during which you should not attempt self-service sign-up or invitation redemption.

    Additionally, remember that the federation setup allows users from the external organization to sign in using their IdP-managed accounts without needing to create new Microsoft Entra credentials.

    If the Answer is helpful, please click Accept Answer and Up-Vote 👍, so that this can be beneficial to other community members.

    Was this answer helpful?

    0 comments
  3. Michal Kudanowski 15 Reputation points
    2025-12-15T14:55:37.2133333+00:00

    Steps to Troubleshoot:

    1. Verify Issuer URI: Done 100 times.
    2. Check Tenant Configuration: Done 100 times.
    3. Review User Flow Configuration:
      1. Make sure that the User Flow you're using is set to allow external identities. Check the configurations in the User Flows section of the Entra Admin Center. - This does not exists, right? It AI made up stuff?
    4. Compatibility with SAML IdPs:
      1. Ensure that the SAML IdP settings you’re using are compatible with Microsoft Entra. Currently, tested IdPs include AD FS and Shibboleth. Question is about Entra to Entra SAML Federation. What compatibility I should check?
    5. Audit Logs: What audit logs I should check for non-existing button? There is no option to select this IDP at all.
    6. Consult Documentation: I've been reading docs for a week.

    Follow up questions:
    1.) Yes I can confirm. We've tested around 1000000 different values in every field.

    2.) I can add IdP to user flow without any errors. It's just if 'Issuer URI' points to sts.windows the option does not appear on user flow login page. As soon as I provide any, even fake Custom IDP provider configuration, it appears and redirects to asserations endpoints.

    3.) Yes, I have access to Partners Azure Tenant and enterprise app has been configured accordingly to MS docs.

    Are you sure it's possible to establish SAML based federation between one Azure External Tenant and another Azure Main Tenant (workforce)? It looks like it does not work if you provide Microsoft issuer URI?

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.