Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Custom OpenID Connect identity provider not displaying on CIAM login page
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 38%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Subbiah Kalidasan
0
Reputation points
Problem
I configured a custom OpenID Connect identity provider in Microsoft Entra External ID (CIAM) to federate with a standard Entra ID tenant. The provider is configured correctly, but the button does not appear on the login page.
Configuration
CIAM Tenant:
- Tenant ID: PII removed
- Custom domain: PII removed.ciamlogin.com
- Identity provider: "PII removed" (OIDC protocol)
- User flow: ExternalID_SignUpSignIn
Parent Tenant (Standard Entra ID):
- Tenant ID: PII removed
- App ID: PII removed
Identity Provider Settings:
- Metadata URL:PII removed
- Scope: openid profile email
- Response type: code
- Claims mapping: configured
- Added to user flow and saved
Redirect URIs in Parent Tenant:
PII removed
What's Happening
- Google social provider button appears (works)
- Local account option appears (works)
- Custom OIDC provider button does NOT appear
Verification
Authentication works when using domain_hint parameter: ?domain_hint=PII removed This confirms the federation is configured correctly.
What I've Tried
- Verified provider is enabled in user flow
- Tested in multiple browsers with cache cleared
- Recreated the identity provider
- Followed the documentation: https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-custom-oidc-federation-customers
- Used the correct redirect URI pattern: /federation/oauth2
Question
Is there additional configuration needed for custom OIDC providers to appear on the default CIAM login page? Or does federating a standard Entra ID tenant with CIAM require custom page templates?
What's the recommended approach for displaying multiple authentication options (local, Google, and custom OIDC) in CIAM?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
Subbiah Kalidasan 0 Reputation points
2025-12-23T04:19:06.41+00:00 Thank you for the reference. I've reviewed the documentation at https://learn.microsoft.com/en-us/entra/external-id/customers/concept-authentication-methods-customers#custom-oidc-identity-provider
The documentation states that custom OIDC providers should appear as authentication options on the sign-in page. However, in my configuration:
- Google (built-in social provider) displays correctly ✓
- Custom OIDC provider does NOT display ✗
- Authentication works with domain_hint, confirming the federation is configured correctly ✓
My setup matches the documented requirements:
- Identity provider added to External Identities
- Enabled in user flow
- Correct redirect URIs configured (/federation/oauth2 pattern)
- All required settings configured per the how-to guide
Could you help me understand:
- Are there specific requirements for custom OIDC providers that federate with standard Entra ID tenants (not third-party IdPs like Okta/Auth0)?
- Is there a known limitation where Entra ID-to-CIAM federation via custom OIDC doesn't display on the default login page?
- Should I open a support ticket for tenant-specific investigation?
My configuration details are in my original question above. Thank you for your help!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 92%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Sridevi Machavarapu 16,520 Reputation points Microsoft External Staff Moderator2025-12-23T04:40:07.1466667+00:00 Hello Subbiah Kalidasan,
We will check this internally and get back to you soon with an update!
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 99%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini 20,530 Reputation points Microsoft External Staff Moderator2025-12-24T21:28:59.6866667+00:00 Hello Subbiah Kalidasan,
This is by design behavior.
Custom OpenID Connect identity providers (including federation with another Entra ID tenant) do not automatically appear as buttons on the default hosted sign-in page in Microsoft Entra External ID (CIAM).
- A successful sign-in using
domain_hintconfirms that the federation is configured correctly. The user flow has the provider activated. - Only built-in providers are rendered by the default CIAM UI (local account, Google, etc.)
- To have a custom OIDC provider appear as a button, there is no supported Graph/API or setting.
Below options are supported:
- Use domain_hint to route users to the federated Entra ID tenant (recommended)
- Use domain_hint (preferred). If a visible button is necessary, use custom page templates.
Hence, Federation is working as expected. Custom OIDC providers need either domain_hint or a custom user interface (UI) and are intentionally not displayed on the default CIAM login page.
Let me know if any further queries - feel free to reach out!
- A successful sign-in using
-
Sridevi Machavarapu 16,520 Reputation points Microsoft External Staff Moderator
2025-12-26T02:28:53.46+00:00 Hello Subbiah Kalidasan,
Any update on this? Could you confirm whether we are good to close this question or still have further queries?
-
Subbiah Kalidasan 0 Reputation points
2025-12-26T15:22:39.2833333+00:00 Thank you for the clarification. This helps us understand that the federation setup is working as expected.
We have a few follow-up questions to better understand how this should be implemented for Internal vs External users and to confirm the recommended approach.
When we use domain_hint to route authentication to the federated Entra ID (custom OpenID provider):
Will all users be redirected to the federated IdP (SSO), or
Is it possible for only Internal users (from a specific domain or tenant) to be routed to SSO, while External users continue to authenticate using local CIAM accounts?
If conditional routing is supported:
Is this behavior controlled purely by the domain_hint parameter, or
Can CIAM automatically determine the authentication path based on the user’s email domain or account type within the same user flow?
For scenarios where both login types must coexist:
Is the recommended approach to expose separate login entry points (for example, an “SSO Login” link using domain_hint and an “Email/Password Login” link without it)?
Or is there a supported way to dynamically apply domain_hint within a single user flow?
As mentioned, if a visible SSO button is required, you indicated that this can be achieved using a custom user interface.
Could you please share the official Microsoft documentation or sample reference for implementing custom page templates / custom UI in Microsoft Entra External ID (CIAM) user flows?
Any sample HTML, walkthrough, or supported reference link would be very helpful.
Understanding this will help us design the correct login experience for Internal users (SSO-based) versus External users (local CIAM accounts).
Thanks in advance for your guidance.
Best regards,
Subbiah Kalidasan
-
Sridevi Machavarapu 16,520 Reputation points Microsoft External Staff Moderator
2025-12-29T05:56:38.3966667+00:00 Hello Subbiah Kalidasan,
Using
domain_hintdoes not redirect all users to SSO. Only users who access the sign-in URL withdomain_hintare routed to the federated Entra ID. Users who sign in without it can continue using local CIAM accounts or built-in providers. This allows internal users to use SSO while external users continue with local sign-in.CIAM does not automatically choose the authentication path based on the user’s email domain or account type. Routing is controlled only by the presence of
domain_hint. There is no supported way to dynamically apply this logic within a single default user flow.When both login types need to coexist, the recommended and supported approach is to expose separate sign-in entry points:
- an SSO sign-in link that includes
domain_hint - a regular sign-in link without
domain_hint
If a visible SSO option is required, Microsoft Entra External ID supports branding and theming of the hosted pages, but it does not support full custom HTML templates like Azure AD B2C. The supported customization options are documented here: https://learn.microsoft.com/en-us/entra/external-id/customers/how-to-customize-branding-customers
For full control over buttons or routing logic, the common approach is to handle this on your application’s landing page and then redirect users to CIAM with or without
domain_hint.Hope this helps. Please let us know if you have any further questions or if we can close this thread.
- an SSO sign-in link that includes
-
Sridevi Machavarapu 16,520 Reputation points Microsoft External Staff Moderator
2025-12-30T06:17:33.18+00:00 Hello Subbiah Kalidasan,
Any update on this? Could you confirm whether we are good to close this question or still have further queries?
Sign in to comment
Sign in to answer