SSO and Identity Federation with OIDC and SAML
A centralized SSO design using Entra ID to federate applications over OIDC and SAML, with Conditional Access, MFA, and SCIM provisioning. Users authenticate once, access is governed in one place, and offboarding cascades automatically.
What and When
Single sign-on (SSO) lets users authenticate once with a central identity provider and reach every connected application without re-entering credentials. Identity federation extends this trust to third-party SaaS and partner systems. Adopt this when employees juggle many apps, when password reuse is a security risk, or when you need centralized control over access and offboarding.
This design uses Microsoft Entra ID as the identity provider, federating applications over OpenID Connect (OIDC) for modern apps and SAML 2.0 for legacy enterprise apps.
Components
- Entra ID is the central identity provider that authenticates users and issues tokens.
- OIDC federates modern web and mobile applications using signed ID tokens and access tokens.
- SAML 2.0 federates older enterprise SaaS that does not support OIDC.
- Conditional Access evaluates risk signals (device, location, user risk) and enforces step-up authentication.
- MFA adds a second factor; phishing-resistant methods such as passkeys are preferred.
- SCIM provisioning automatically creates and deactivates user accounts in downstream apps; app registrations define each integrated application.
Data Flow
A user opens an application and is redirected to Entra ID. Entra ID authenticates them, applies Conditional Access policy, and prompts for MFA if risk warrants. On success it issues an OIDC ID token (or a SAML assertion) that the application validates to establish a session. SCIM keeps user records and group memberships in sync, so when a user leaves, deprovisioning cascades to every connected app.
Scaling and Resilience
Entra ID is a globally distributed, highly available service, so it scales to large workforces without operator effort. Token-based sessions reduce repeated authentication load. Use group-based assignment so onboarding thousands of users does not require per-app configuration. Cache discovery documents and signing keys at the application to tolerate brief provider hiccups, and plan a break-glass account for emergency access.
Security
Centralized authentication means one place to enforce MFA, detect anomalous sign-ins, and revoke access instantly. Validate token signatures, audience, and expiry in every application. Prefer phishing-resistant MFA and short token lifetimes. Apply least privilege through role and group assignment, and review access regularly. SCIM-driven deprovisioning closes the common gap where ex-employees retain SaaS access.
Trade-offs and Alternatives
Federation centralizes risk: an outage or compromise of the identity provider affects every app, so resilience and monitoring are critical. Legacy apps may need SAML, adding integration work. Alternatives include Okta or Auth0 for vendor-neutral or developer-focused needs, or Keycloak for self-hosted control. Entra ID is the natural choice for Microsoft-centric workforces already on Azure.