For SP initiated SSO
User navigates to the service provider which initiates OIDC request to B2C with nonce and state in url parameters.
Based on the domainHint passed, B2C redirects the user to their IDP (okta/salesforce etc..)
Upon successful authentication, user gets redirected to B2C with id_token.
B2C creates the user in AD if not exists and redirects to SP.
SP validates the response with the nonce received against the nonce generated while initiating SSO and logs in the user.
How about IDP initiated SSO?
After successful authentication to IDP, user clicks on the connected app which redirects him to SP login URL.
SP initiated flow starts from here.
Is my understanding correct?
This is how IDP-initiated SAML SSO works: (Without B2C)
After successful authentication to IDP, user clicks on the connected app, which sends the SAML response to the ACS url configured in SP.
How does OpenID IDP-initiated SSO works using Azure AD B2C?