Can External ID (CIAM) federate to an Azure AD/Entra ID tenant using SAML?

You are very close, but the issue is likely not in your SAML configuration itself.

External ID (CIAM) has specific limitations when the Identity Provider is another Microsoft Entra ID tenant. While the portal allows SAML configuration, Microsoft tenants are not always supported as external SAML IdPs in CIAM scenarios especially when using login.microsoftonline.com endpoints.

If your goal is to allow corporate users from a partner tenant to authenticate using their work accounts, the recommended architecture is:

• Use Microsoft Entra B2B between organizational tenants
  • Keep External ID (CIAM) for customer identities only

CIAM is designed primarily for customer-facing authentication (local accounts, social IdPs, custom SAML IdPs), not as a federation bridge between Microsoft tenants.

Also verify:

• The domain is fully verified and marked as federated in CIAM
  • The issuer URI exactly matches the IdP metadata
  • The user flow supports domain discovery
  • The SAML IdP is properly assigned to the user flow

However, if your IdP endpoint is login.microsoftonline.com, this may be a platform restriction rather than a configuration error.