Forum Discussion
Can External ID (CIAM) federate to an Azure AD/Entra ID tenant using SAML?
What I'm trying to achieve
I'm setting up SAML federation FROM my External ID tenant (CIAM) TO a partner's Entra ID tenant (regular organizational tenant) for a hybrid CIAM/B2B setup where:
- Business users authenticate via their corporate accounts (OIDC or SAML)
- Individual customers use username/password or social providers (OIDC)
Tenant details / Terminology:
- CIAM tenant: External ID tenant for customer-facing applications
- IdP tenant: Example Partner's organizational Entra ID tenant with business accounts
- Custom domain: mycustomdomain.com (example domain for the IdP tenant)
Configuration steps taken
Step 1: IdP Tenant (Entra ID) - Created SAML App
- Set up Enterprise App with SAML SSO
- Entity ID: https://login.microsoftonline.com/<CIAM_TENANT_ID>/
- Reply URL: https://<CIAM_TENANT_ID>.ciamlogin.com/login.srf
- NameID: Persistent format
- Claim mapping: emailaddress → user.mail
Step 2: CIAM Tenant (External ID) - Added SAML IdP
(Initially imported from the SAML metadata URL from the above setup)
- Federating domain: mycustomdomain.com
- Issuer URI: https://sts.windows.net/<IDP_TENANT_ID>/
- Passive endpoint: https://login.microsoftonline.com/mycustomdomain.com/saml2
- DNS TXT record added: DirectFedAuthUrl=https://login.microsoftonline.com/mycustomdomain.com/saml2
Step 3: Attached to User Flow
- Added SAML IdP to user flow under "Other identity providers"
- Saved configuration and waited for propagation
The problem
It doesn't work. When testing via "Run user flow":
- No SAML button appears (should display "Sign in with mycustomdomain")
- Entering email address removed for privacy reasons doesn't trigger federation
- The SAML provider appears configured but never shows up in the actual flow
- Also tried using the tenant GUID in the passive endpoint instead of the domain - same result
My question
Is SAML federation from External ID to regular Entra ID tenants actually possible?
I know OIDC federation to Microsoft tenants is (currently, august 2025) explicitly blocked (microsoftonline.com domains are rejected). Is SAML similarly restricted? The portal lets me configure everything without throwing any errors, but it never actually works.
Am I missing something in my configuration? The documentation for this use case is limited and I've had to piece together the setup from various sources. Or is this a fundamental limitation where External ID simply can't federate to ANY Microsoft tenant regardless of the protocol used?