Web-signin 3rd party IDP not working

Question

We have a working Entra ID SAML federation to a third-party IdP that uses FIDO2/WebAuthn (IdP as Relying Party) for browser sign-in, and we are trying to use the same federation through Windows Web sign-in on an Entra-joined Windows 11 device — but the IdP page loads blank in the WebView and Microsoft-Windows-WebAuthN/Operational records zero events, while the same security key works fine for FIDO2 sign-in with login.microsoft.com as RP on the same device.

Questions:

- Is WebAuthn brokering to third-party Relying Parties inside the Web sign-in WebView supported?

- If not, is it on the roadmap?

- What is the supported architectural path for delivering passwordless Windows sign-in using a federated IdP's own FIDO2/WebAuthn credentials, given Graph API passkey provisioning is Beta-only?

kidd_ip · Answer

WebAuthn inside Windows Web Sign-in WebView does not currently broker authentication to third‑party IdPs acting as their own FIDO2 Relying Party but only Microsoft Entra ID scenarios such as TAP, Authenticator, SAML‑P federation are supported. There is no published roadmap for enabling external IdPs’ WebAuthn flows in Web sign-in yet. The supported path for passwordless Windows sign-in with federated IdPs is to use Entra ID as the RP (via FIDO2 security keys or passkeys), not the IdP’s own WebAuthn stack.
&nbsp;
https://learn.microsoft.com/en-us/windows/security/identity-protection/web-sign-in/?tabs=intune
&nbsp;
https://github.com/MicrosoftDocs/entra-docs/blob/main/docs/identity/hybrid/connect/how-to-connect-fed-whatis.md
&nbsp;
https://learn.microsoft.com/en-us/graph/api/resources/passkeyprofilestructure?view=graph-rest-beta
&nbsp;
&nbsp;
&nbsp;

Forum Discussion

Web-signin 3rd party IDP not working

1 Reply