Ní thacaítear leis an mbrabhsálaí seo a thuilleadh.
Uasghrádú go Microsoft Edge chun leas a bhaint as na gnéithe is déanaí, nuashonruithe slándála, agus tacaíocht theicniúil.
Applies to: 
Workforce tenants 
External tenants (learn more)
By setting up federation with a custom-configured OpenID Connect (OIDC) identity provider, you enable users to sign up and sign in to your applications using their existing accounts from the federated external provider. This OIDC federation allows authentication with various providers that adhere to the OpenID Connect protocol.
When you add an OIDC identity provider to your user flow's sign-in options, users can sign up and sign in to the registered applications defined in that user flow. They can do this using their credentials from the OIDC identity provider. (Learn more about authentication methods and identity providers for customers.)
To be able to federate users to your identity provider, you first need to prepare your identity provider to accept federation requests from your Microsoft Entra ID tenant. To do that, you need to populate your redirect URIs and register to your identity provider to be recognized.
Before moving to next step, populate your redirect URIs as follows:
https://<tenant-subdomain>.ciamlogin.com/<tenant-ID>/federation/oauth2
https://<tenant-subdomain>.ciamlogin.com/<tenant-subdomain>.onmicrosoft.com/federation/oauth2
To enable sign-in and sign-up for users with an account in your identity provider, you need to register Microsoft Entra ID as an application in your identity provider. This step allows your identity provider to recognize and issue tokens to your Microsoft Entra ID for federation. Register the application using your populated redirect URIs. Save the details of your identity provider configuration to set up federation in your Microsoft Entra External ID tenant.
To configure OpenID connect federation with your identity provider in Microsoft Entra External ID, you need to have the following settings:
After you configured your identity provider, in this step you'll configure a new OpenID connect federation in the Microsoft Entra admin center.
Sign in to the Microsoft Entra admin center as at least an External Identity Provider Administrator.
Browse to Identity > External Identities > All identity providers.
Select the Custom tab, and then select Add new > Open ID Connect.
Enter the following details for your identity provider:
Display name: The name of your identity provider that will be displayed to your users during the sign-in and sign-up flows. For example, Sign in with IdP name or Sign up with IdP name.
Well-known endpoint (also known as metadata URI) is the OIDC discovery URI to obtain the configuration information for your identity provider. The response to be retrieved from a well-known location is a JSON document, including its OAuth 2.0 endpoint locations. Note that the metadata document should, at a minimum, contain the following properties: issuer, authorization_endpoint, token_endpoint, token_endpoint_auth_methods_supported, response_types_supported, subject_types_supported and jwks_uri. See OpenID Connect Discovery specifications for more details.
OpenID Issuer URI: The entity of your identity provider that issues access tokens for your application. An example, if you use OpenID Connect to federate with your Azure AD B2C, your issuer URI can be taken from your discovery URI with the "issuer” tag and will look like: https://login.b2clogin.com/{tenant}/v2.0/. Issuer URI is a case-sensitive URL using https scheme contains scheme, host, and optionally, port number and path components and no query or fragment components.
Nóta
Configuring other Microsoft Entra tenants as an external identity provider is currently not supported. Consequently, the microsoftonline.com domain in the issuer URI is not accepted.
client_secret_post, client_secret_jwt and private_key_jwt authentication methods are supported.Nóta
Due to possible security issues, client_secret_basic client authentication method is not supported.
openid profile. OpenID Connect requests must contain the openid scope value in scope in order to receive the ID token from your identity provider. Other scopes can be appended separated by spaces. Refer to the OpenID Connect documentation to see what other scopes may be available such as profile, email, etc.authorization_endpoint of your identity provider. Currently, only the code response type is supported. id_token and token are not supported at the moment.You can select Next: Claims mapping to configure claims mapping or Review + create to add your identity provider.
Nóta
Microsoft recommends you do not use the implicit grant flow or the ROPC flow. Therefore, OpenID connect external identity provider configuration does not support these flows. The recommended way of supporting SPAs is OAuth 2.0 Authorization code flow (with PKCE) which is supported by OIDC federation configuration.
At this point, the OIDC identity provider has been set up in your Microsoft Entra ID, but it's not yet available in any of the sign-in pages. To add the OIDC identity provider to a user flow:
In your external tenant, browse to Identity > External Identities > User flows.
Select the user flow where you want to add the OIDC identity provider.
Under Settings, select Identity providers.
Under Other Identity Providers, select OIDC identity provider.
Select Save.
Oiliúint
Modúl
Discover how Microsoft Entra External ID can provide secure, seamless sign-in experiences for your consumers and business customers. Explore tenant creation, app registration, flow customization, and account security.
Deimhniú
Microsoft Certified: Identity and Access Administrator Associate - Certifications
Demonstrate the features of Microsoft Entra ID to modernize identity solutions, implement hybrid solutions, and implement identity governance.
Doiciméadúchán
Plan a CIAM Deployment - Microsoft Entra External ID
Discover the steps for setting up a customer identity and access management (CIAM) solution in an external tenant, including creating a tenant, registering apps, and setting up user flows for sign-in.
Identity providers for external tenants - Microsoft Entra External ID
Learn sign-in and MFA options for customer identity and access management (CIAM), including email, one-time passcodes, social providers, SAML/WS-Fed, and OIDC.
Add Azure AD B2C for customer sign-in - Microsoft Entra External ID
Learn how to configure an Azure AD B2C tenant as an external identity provider in Microsoft Entra External ID, enabling users to sign in using their existing accounts.