Hey everyone! We have a bunch of applications that were designed for our internal organization, and they've been working smoothly with OAuth/OIDC using the MSAL library. Recently, though, we've been asked to provide access to these apps for external clients, and while we've handled that with new multi-tenant app registrations, our latest client doesn't use Entra and wants to implement SAML with us as the service provider. I'm curious about what realistic options we have. I doubt it will be easy to modify the apps to support SAML directly. Is there a way for an Entra tenant to manage the SAML while keeping the apps on OpenID? I've heard that Entra External ID might be able to help, but I'm feeling a bit overwhelmed by the whole situation.
3 Answers
I worked on a project with SSO and SAML using different clients, and I found that Entra External ID got pretty complicated and pricey. Instead, we went with Kinde, which I found recommended online, and I’ve been happy with that choice.
The standard Microsoft solution would be Entra External ID, but honestly, if you want a smoother setup, consider something like Auth0. I've heard it's much easier to work with—much better than Azure B2C was.
A good approach could be to link your OIDC apps with an intermediary auth provider like Azure/Entra B2C. That way, you just manage the B2C tenant as your token source, and it can federate with the external clients' systems, supporting OIDC, SAML, and other options without too much hassle.
So just to clarify, you'd set up a B2C tenant for each major client, federating with their SAML IDP? Wouldn't that complicate things more?
Is Auth0 really that much easier? I've been worried about the complexity of setting up these identity platforms.