How does IDP Initated OpenID connect SSO with external IDP like okta using Azure AD B2C works?

Yashwanth Reddy Yenugu 46 Reputation points

For SP initiated SSO

  • User navigates to the service provider which initiates OIDC request to B2C with nonce and state in url parameters.
  • Based on the domainHint passed, B2C redirects the user to their IDP (okta/salesforce etc..)
  • Upon successful authentication, user gets redirected to B2C with id_token.
  • B2C creates the user in AD if not exists and redirects to SP.
  • SP validates the response with the nonce received against the nonce generated while initiating SSO and logs in the user.

How about IDP initiated SSO?

My Understanding

  • After successful authentication to IDP, user clicks on the connected app which redirects him to SP login URL.
  • SP initiated flow starts from here.

Is my understanding correct?

This is how IDP-initiated SAML SSO works: (Without B2C)
After successful authentication to IDP, user clicks on the connected app, which sends the SAML response to the ACS url configured in SP.

How does OpenID IDP-initiated SSO works using Azure AD B2C?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,759 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,491 Reputation points

    @Yashwanth Reddy Yenugu ,

    In simpler terms:

    SP initiated: User accesses the application. The application constructs the request (in most cases by using MSAL) and redirects the user to B2C.

    IDP initiated : User directly goes to the IDP authentication endpoint and then access desired federated application by providing required parameters, such as client_id, state, scope etc. In case of B2C, you can do the IDP initiated authentication by using the "Run User Flow" link.


    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.