Share via

SSO accross different identity provider domains

simon vdp 0 Reputation points
2024-07-11T15:23:15.6633333+00:00

Hello,

I am currently working on a project involving multiple service providers, each with a distinct domain, such as "domain1.com", "domain2.com", and so on. Each domain has its own custom login URL, for example, "login.domain1.com", "login.domain2.com", etc. Our objective is to implement Single Sign-On (SSO) across these various domains, but we are facing challenges.

In our current setup, service providers redirect users to the identity provider, where a cookie indicating an active session is set. However, this cookie is bound to the identity provider's domain, preventing it from being shared across different domains. Consequently, we are unable to achieve SSO functionality between these domains.

Could you please advise if there is a solution to enable SSO in this scenario?

Best regards,

Simon Vandeputte

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. simon vdp 0 Reputation points
    2024-07-12T06:04:43.5533333+00:00

    Hi,

    I don't think I gave enough context about our issue and current solution. We aren't using a third-party federation solution.

    We are currently utilizing Azure AD B2C, backed by Microsoft Entra ID, to deliver a custom login experience for our users. Our implementation involves multiple custom login domains, all pointing to the same Azure AD B2C tenant.

    We aim to achieve the following scenario:

    Initial Login: Users access Azure AD B2C through a custom domain URL:

    https://login.domain1.com/domain1.onmicrosoft.com/B2C_1A_signup_signin_saml/generic/login?EntityId=https://anotherwebappdomain.com/integration/splogin&ui_locales=en-GB

    Once authenticated, an active session is established.

    Seamless SSO Experience: If the user subsequently navigates to another custom login domain URL:

    https://login.domain2.com/tenantname.onmicrosoft.com/B2C_1A_signup_signin_saml/generic/login?EntityId=https://anotherwebappdomain.com/integration/splogin&ui_locales=en-GB

    The system should automatically recognize the existing session and log the user in without requiring them to re-authenticate.

    Our goal is to ensure a seamless Single Sign-On (SSO) experience across these different custom login domains while leveraging the same Azure AD B2C tenant.

    Best regards,

    Simon Vandeputte

  2. Marilee Turscak-MSFT 37,371 Reputation points Microsoft Employee Moderator
    2024-07-11T22:45:40.6033333+00:00

    Hi @simon vdp ,

    My understanding is if your organization uses a third-party federation solution, you can configure SSO for your on-premises Active Directory users with Microsoft Online services, such as Microsoft 365, provided the third-party federation solution is compatible with Entra ID/Azure AD.

    For questions regarding compatibility, you would need to contact your identity provider. There is a list of identity providers who have previously been tested for compatibility with Entra ID (by Microsoft) here: Entra ID identity provider compatibility docs.

    You would need to define both the tenants to which IDP will be connected and the domain you want to federate from the tenant. So, users belonging to non-federated domain will be using Entra ID/Azure AD as IDP.

    What you are describing should be possible if the IdPs are compatible with Entra ID/Azure.

    https://learn.microsoft.com/en-us/entra/external-id/direct-federation#frequently-asked-questions

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.