Hey everyone! We've developed several applications mainly for our internal organization, which are set up with app registrations in Entra and use OAuth/OIDC for login with the MSAL library on our web app. Everything has been working smoothly for us. However, upper management recently decided to sell access to these applications to external firms. For that, we created new multi-tenant app registrations and validated each tenant during the login process, which has also been successful since all users are Entra users. Now, we have a new client who doesn't use Entra and wants to implement SAML with us acting as the Service Provider. I'm wondering what realistic options we have here? I doubt it would be easy to have our apps directly support SAML. Is there a way to have our Entra tenant manage SAML while still using OpenID for the apps? I've read that Entra External ID might offer a potential solution, but I feel a bit lost on the details.
3 Answers
One approach could be to integrate your OIDC app with an intermediary auth provider, like Azure/Entra B2C. This way, your app only needs to interact with the B2C tenant for tokens, and you can federate that tenant with third-party IDPs for SAML support.
If you're looking for a Microsoft-centric route, Entra External ID can support this, but I’ve heard it can be quite a hassle to set up, kind of like Azure B2C.
It's definitely not as tricky as B2C, so for this straightforward use case, it might actually work—unless new requirements pop up that complicate things.
I've worked with a client who also needed SSO and SAML, and after analyzing the options, we ended up choosing Kinde instead of Entra External ID. It's been a great decision for us since Entra was just too complex and pricey, in my opinion.
Sorry if this is a basic question, but are you suggesting that we set up a B2C tenant (or use the external ID or Auth0) for each large client? We would manage the tenant and accept tokens from it like we do with our own Entra, just with a different tenant GUID? So when they log in to our web apps, MSAL sends them to the client tenant, which then redirects to the federated IDP, and eventually gets tokens back to complete the login?