Blog Post

Microsoft Entra Blog
2 MIN READ

Entra ID B2B collaboration direct federation with SAML and WS-Fed providers now in public preview

Alex Simons (AZURE)'s avatar
Jul 08, 2019

Howdy folks,

 

We’ve been making it easier to work with your partners by enabling you to collaborate with them using their existing identities, regardless of whether they use Azure AD or not. We already support Google social IDs as well as any email account. As a next major step in this direction, I’m excited to announce that we have a new capability—direct federation—now in public preview!

 

Direct federation makes it easier for you to work with partners whose IT managed identity solution is not Azure AD. It works with identity systems that support the SAML or WS-Fed standards. When you set up a direct federation relationship with a partner, any new guest user you invite from that domain can collaborate with you using their existing organizational account. This makes the user experience for your guests more seamless.

 

With direct federation, your guest users sign in with their organizational account, satisfying any security requirements that your partner organization has already implemented. Any additional security controls you implement for guest users, such as stronger proof of ownership for Multi-Factor Authentication (MFA), also applies to these users. When your guest leaves their organization, they no longer have access to resources.

 

 

 

Let’s walk through what happens when a user signs in with direct federation:

  1. The direct federation user clicks a link to an application or resource you have shared with them.
  2. Entra ID checks to see if the user has been invited. 
  3. The user's application is re-directed to their identity provider for sign-in.
  4. The IDP the app is re-directed to authenticates the user 
  5. After successful authentication, the IDP returns a SAML token to the application.
  6. The application sends the SAML token to Entra ID.
  7. Entra ID validates the token then sends the application an access token for the resource it wishes to use. (Figure 1)  

Watch this video to learn more about how direct federation works and other identities we support.

 

Figure 2. Setting up direct federation in Azure AD—Organizational relationships.

To try direct federation in the Azure portal,  go to Azure Active Directory > Organizational relationships - Identity providers, where you can populate your partner’s identity provider metadata details by uploading a file or entering the details manually. (Figures 2 and 3) During public preview, we only support direct federation with an identity provider whose authentication URL matches the target domain for direct federation or belongs to a standard identity provider.

 

Figure 3. Populating direct federation metadata in Azure AD.

Go ahead and dive into the documentation to try out direct federation and learn more! Let us know what you think by taking our brief survey.

 

And as always, connect with us for any discussion or send us your feedback and suggestions. You know we’re listening! 

 

Best regards,

 

Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division

Updated Dec 04, 2023
Version 9.0