Share via

Microsoft Entra External Identity - Federated strong IdP support

JQ 25 Reputation points
2025-04-08T09:41:10.41+00:00

Hello,

We are currently in the process of identifying a CIAM solution for our customer portal. As we are already utilizing Azure and heavily reliant on the Microsoft ecosystem, we have started exploring Microsoft Entra External Identity. While we have reviewed the documentation for Entra External Identity, there are several technical details we would like to verify before determining its suitability for our use case.

One of our key requirements is that all customers must be authenticated through a strong identity provider. In our country, several options are available, all of which support OIDC/SAML federation. The Personally Identifiable Information (PII) from these identity providers is returned in an encrypted format. Based on our investigation, decrypting OIDC claims or SAML assertions from external identity providers does not seem to be supported out-of-the-box by Entra External Identity.

Potentially, we could use a custom claims provider to decrypt the PII and map this information to a user ID stored in our internal system. However, this approach would require the encrypted PII claims from external identity providers to be accessible to the custom claims provider.

Could you advise on the recommended method for handling encrypted claims or SAML assertions from external identity providers? Alternatively, is this functionality not currently supported?

We understand that our use case might be supported by the "Custom Policies" feature of Azure AD B2C. However, we have read that Azure AD B2C is no longer available for new customers (https://learn.microsoft.com/en-us/entra/external-id/customers/faq-customers). Could you confirm if this understanding is accurate?

Thank you in advance for your assistance.

Best regards

JQ

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Accepted answer
  1. Kancharla Saiteja 5,890 Reputation points Microsoft External Staff Moderator
    2025-04-16T00:53:56.4133333+00:00

    Hi @JQ,

    Based on your query, I understand that you would like to add external IDP to Entra External tenant with your requirements on Assertion value and encrypted tokens.

    As per my research with the above requirement, I have found Microsoft document: Add federation with SAML/WS-Fed identity providers which talks about adding external SAML IDP with Entra external ID.

    In this document it has confirmed that Entra External ID supports only this as assertion consumer URL: https://<tenantID>.ciamlogin.com/login.srf in response and may not be able to use External assertion URLs. I also found that the Microsoft Entra SAML/WS-Fed federation feature doesn't support sending a signed authentication token to the SAML identity provider. This has been confirmed here: Signed authentication tokens.

    I believe your requirements may not be fulfilled by checking on this information. But I found a tech community blog where the member has added OKTA as IDP with external IDP with OKTA assertion values. Here is the blog: Entra ID SAML Federation with an External Identity Provider

    The blog specifies: Entra ID does not forward or share SAML assertions received from the external IdP directly with the application. Instead, Entra ID extracts claims from the attributes of the guest user profile in Entra ID.

    Note: I have provided the blog is just for your reference if you would like to give a try on the same. Microsoft did not hold any responsibility on the blog documents.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.