How does IDP Initated OpenID connect SSO with external IDP like okta using Azure AD B2C works?

Yashwanth Reddy Yenugu 46 Reputation points
2020-06-03T13:41:53.363+00:00

For SP initiated SSO

  • User navigates to the service provider which initiates OIDC request to B2C with nonce and state in url parameters.
  • Based on the domainHint passed, B2C redirects the user to their IDP (okta/salesforce etc..)
  • Upon successful authentication, user gets redirected to B2C with id_token.
  • B2C creates the user in AD if not exists and redirects to SP.
  • SP validates the response with the nonce received against the nonce generated while initiating SSO and logs in the user.

How about IDP initiated SSO?

My Understanding

  • After successful authentication to IDP, user clicks on the connected app which redirects him to SP login URL.
  • SP initiated flow starts from here.

Is my understanding correct?

This is how IDP-initiated SAML SSO works: (Without B2C)
After successful authentication to IDP, user clicks on the connected app, which sends the SAML response to the ACS url configured in SP.

How does OpenID IDP-initiated SSO works using Azure AD B2C?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,759 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,491 Reputation points
    2020-06-05T08:19:08.92+00:00

    @Yashwanth Reddy Yenugu ,

    In simpler terms:

    SP initiated: User accesses the application. The application constructs the request (in most cases by using MSAL) and redirects the user to B2C.

    IDP initiated : User directly goes to the IDP authentication endpoint and then access desired federated application by providing required parameters, such as client_id, state, scope etc. In case of B2C, you can do the IDP initiated authentication by using the "Run User Flow" link.

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.