How does IDP Initated OpenID connect SSO with external IDP like okta using Azure AD B2C works?

Question

For SP initiated SSO

• User navigates to the service provider which initiates OIDC request to B2C with nonce and state in url parameters.
• Based on the domainHint passed, B2C redirects the user to their IDP (okta/salesforce etc..)
• Upon successful authentication, user gets redirected to B2C with id_token.
• B2C creates the user in AD if not exists and redirects to SP.
• SP validates the response with the nonce received against the nonce generated while initiating SSO and logs in the user.

How about IDP initiated SSO?

My Understanding

• After successful authentication to IDP, user clicks on the connected app which redirects him to SP login URL.
• SP initiated flow starts from here.

Is my understanding correct?

This is how IDP-initiated SAML SSO works: (Without B2C)
After successful authentication to IDP, user clicks on the connected app, which sends the SAML response to the ACS url configured in SP.

How does OpenID IDP-initiated SSO works using Azure AD B2C?

Answer 1

@Yashwanth Reddy Yenugu ,

In simpler terms:

SP initiated: User accesses the application. The application constructs the request (in most cases by using MSAL) and redirects the user to B2C.

IDP initiated : User directly goes to the IDP authentication endpoint and then access desired federated application by providing required parameters, such as client_id, state, scope etc. In case of B2C, you can do the IDP initiated authentication by using the "Run User Flow" link.

-----------------------------------------------------------------------------------------------------------

Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.