# WebApp Authentication with Social IDPs (Google, Facebook & Apple ID)
**Field** **Details**
Document Type Runbook / How-To Guide
Applies To Microsoft Entra ID External Identities (CIAM), Social Identity Providers (Google, Facebook, Apple), Third-party Web Applications
Audience Systems Administrators / Identity Engineers / 2nd Line Support
Author AK. Udofeh
Last Updated March 2026
##### **Overview** ##### This guide documents how to integrate Social Identity Providers (Google, Facebook, and Apple) with a SAML-based web application for authentication using Microsoft Entra ID External Identities and Customer Identity & Access Management (CIAM). The configuration allows users to authenticate using social accounts while Microsoft Entra acts as the identity broker and issues a SAML assertion to the third-party or line-of-business (LOB) web application. ##### The process involves creating an external tenant, registering social identity providers, creating a user flow, configuring a SAML enterprise application, and updating the application configuration. ##### **The Issue** ##### Organisations often require users to authenticate using Social Identities (e.g. Google or Facebook) while maintaining a centralised identity broker for security and policy enforcement. ##### Without a configured identity broker: - ##### Applications must integrate individually with each social provider. - ##### Identity attributes are inconsistent between providers. - ##### Access control and auditing become difficult to manage. ##### Basic authentication methods such as: - ##### Local application accounts - ##### Direct OAuth integration within the application ##### do not provide centralised identity management or federation capabilities. ##### Using Microsoft Entra External Identities resolves this by brokering authentication from social providers and issuing a standard SAML assertion to the application. ##### [![Authentication via Socials IDP.png](https://docs.aktechnoservices.com/uploads/images/gallery/2026-03/scaled-1680-/jzrauthentication-via-socials-idp.png)](https://docs.aktechnoservices.com/uploads/images/gallery/2026-03/jzrauthentication-via-socials-idp.png) ##### **Context** ##### Modern applications often require authentication from multiple identity providers while maintaining centralised access control. ##### Without a broker, the authentication flow typically looks like this: ```powershell User ↓ Application ↓ Direct OAuth with Google/Facebook ``` ##### **This causes several issues:** - ##### Applications must implement provider-specific authentication logic - ##### Identity attributes differ between providers - ##### Access control cannot be centrally enforced ##### Using Microsoft Entra External Identities introduces an identity broker layer: ```powershell User ↓ Google / Facebook / Apple ↓ (OAuth / OIDC) Microsoft Entra External Tenant (CIAM) ↓ (User Flow) Enterprise Application (SAML) ↓ Flask Web Application ``` ##### In this architecture: - ##### Social providers authenticate the user. - ##### Entra External Identities brokers the authentication. - ##### A SAML assertion is issued to the web application. ##### Before You Start
##### Check ##### Where
##### External tenant created ##### Microsoft Entra admin centre
##### Azure subscription linked ##### Tenant creation wizard
##### Google Developer Console account ##### console.cloud.google.com
##### Meta Developer account ##### developers.facebook.com
##### Apple Developer account (optional) ##### developer.apple.com
##### SAML web application deployed ##### Flask service
##### Service Provider metadata configured ##### `settings.json`
#### **Implementation Steps (Per Environment)** #### **Phase 1 - Create External Tenant** ##### Step 1: Sign in to the Microsoft Entra admin centre: ##### [https://entra.microsoft.com](https://entra.microsoft.com) ##### Navigate to: ``` Microsoft Entra ID> Overview> Manage Tenants ``` #### Click: ```powershell Create> External ``` ##### Enter the tenant details: - ##### Tenant Name: <Your tenant name> - ##### Domain Name: <Your domain name> - ##### Location: Europe or Africa - ##### Subscription: Azure subscription ##### Click: ```powershell Review + Create> Create ``` ##### Provisioning may take up to **30 minutes**. ##### Switch to the new tenant: ```powershell Settings> Directories + Subscriptions> Switch ``` #### **Phase 2 - Add Social Identity Providers** ##### Navigate to: ```powershell External Identities > All Identity Providers ``` #### **Integrate with Google Identity Provider** ##### **Step 1: Configure Google OAuth** ##### Visit: [https://console.cloud.google.com/](https://console.cloud.google.com/) ##### In Google Cloud Console: ```powershell APIs & Services > Credentials > OAuth2 Client ID ``` ##### Fill in the Name of the Webapp ##### Add the Authorized redirect URI: ```powershell https://.ciamlogin.com/.onmicrosoft.com/federation/oauth2 ``` Copy the following values and keep is save ```powershell > Client ID > Client Secret ``` ##### **Step 2: Register Google as Idp in Entra ID** ##### In Entra ID (Ext tenant directory) navigate to: ```powershell External Identities > All Identity Providers ``` ##### Enter: ```powershell Client ID Client Secret ``` ##### Click: ```powershell Save ``` #### **Integrate with Facebook Identity Provider** ##### Step 1: Create Meta Developer App ##### Visit to: ##### [https://developers.facebook.com](https://developers.facebook.com) ##### Select: ```powershell My Apps > Create App ``` ##### Choose: ```powershell Authenticate and request data from users with Facebook Login ``` ##### Select platform: ```powershell Web ``` ##### Add redirect URI: ```powershell https://.ciamlogin.com/.onmicrosoft.com/federation/oauth2 ``` ##### In **App Settings > Basic**, copy: ```powershell App ID App Secret ``` ##### Add application domain: ```powershell (e.g: example.com) ```

Without adding the domain, Facebook login will fail with: "Can't load URL — domain isn't included in the app's domains"

##### Switch the application to: ```powershell Live Mode ``` ##### **Step 2: Register Facebook Idp in Entra ID** ##### In Entra ID (Ext tenant directory) navigate to: ```powershell External Identities > All Identity Providers > + Facebook ``` ##### Enter: ```powershell App ID App Secret ``` ##### Click: ```powershell Save ``` #### **Integrate with Apple Identity Provider**

Prerequisite: ● An active Apple Developer Account (Paid membership).

##### Step 1: Configure Apple Developer Portal ##### Navigate to: ##### [https://developer.apple.com](https://developer.apple.com) ##### Create an **App ID** with: ```powershell Sign in with Apple enabled ``` ##### Create a **Services ID** ##### **Example:** ```powershell com.example.samllab ``` ##### Configure redirect URI: ```powershell https://.ciamlogin.com/.onmicrosoft.com/federation/oauth2 ``` ##### Create **Sign In with Apple Key** ##### Download: ```powershell .p8 private key ``` ##### Record: ```powershell Key ID Team ID ``` ##### Step 2: **Register Apple Idp in Entra ID** ##### In Entra ID (Ext tenant directory) navigate to: ```powershell External Identities > All Identity Providers > + Apple ``` ##### Configure: ```powershell Client ID: Your Apple services ID Apple developer team ID: Your Apple Team ID here Key ID: Your Apple Key ID here Client Secret: Upload the .p8 key file here ``` #### **Phase 3: Create a User Flow** ##### In Entra ID (Ext tenant directory) navigate to: ```powershell External Identities > User Flows > + New User Flow ``` ##### Configure: ##### Name: (e.g) PilotApp-Auth-via-Socials ##### Enable identity providers: ```powershell Email with Password Google Facebook ``` ##### Select attributes: ```powershell Display Name Email Address Given Name Surname ``` ##### Click: ```powershell Create ``` #### **Phase 4: Register the SAML Application in Entra ID Ext Tenant directory** ##### Navigate to: ```powershell Enterprise Applications > New Application > Create Your Own Application ``` ##### Name: ```postgresql My PilotApp with Socials Idp ``` ##### Select: ##### Integrate any other application you don't find in the gallery ##### Configure SAML ##### Navigate to: ```powershell Single Sign-On > SAML ``` ##### Configure: ##### **Identifier (Entity ID)** ```powershell https://mypilot-app.example.com ``` ##### **Reply URL (ACS)** ```powershell https://mypilot-app.example.com/acs ``` ##### Configure Attributes & Claims ##### Map attributes:
ClaimValue
givennameuser.givenname
surnameuser.surname
emailaddressuser.mail
##### Obtain Federation Metadata ##### Download: ```powershell Federation Metadata XML ``` ##### Extract: ```powershell IdP Entity ID SSO URL Signing Certificate ``` ##### **In Entra ID Ext Tenant Directory Link the Application to the User Flow** ##### Navigate to: ```powershell External Identities > User Flows > saml_lab_signin > Applications ``` ##### Click: Add Application ##### Select: <The Enterprise App you want to integrate> #### **Phase 5: Update Third-party or LOB App that you want to integrate with Socials IDP** ##### Replace workforce tenant values with the external tenant values. ```powershell # External Tenant Configuration SAML_IDP_ENTITY_ID=https://.ciamlogin.com// SAML_IDP_SSO_URL=https://.ciamlogin.com/.onmicrosoft.com/saml2 SAML_IDP_X509CERT= ``` ##### Save the configuration. ##### **The application will now authenticate users through the External Tenant user flow.** **[![SAML - social idp UI.png](https://docs.aktechnoservices.com/uploads/images/gallery/2026-03/scaled-1680-/saml-social-idp-ui.png)](https://docs.aktechnoservices.com/uploads/images/gallery/2026-03/saml-social-idp-ui.png)** #### **--------------------------------- Troubleshooting -----------------------------------** ##### **Facebook - Domain Not Included in App Domains** ##### **Error:** ##### `Can't load URLThe domain of this URL isn't included in the app's domains` ##### **Resolution:** ##### Add the application domain in: ##### Meta Developer Console > App Settings > Basic > App Domains ##### Facebook - Invalid Scopes Email ##### **Error:** ##### `Invalid Scopes: email` ##### **Resolution:** ##### Add the permission: ##### Permissions and Features > email ##### **Google - Redirect URI Mismatch** ##### **Error:** ##### `redirect_uri_mismatch` ##### **Resolution:** ##### Ensure the redirect URI in Google Console matches: ##### https://.ciamlogin.com/.onmicrosoft.com/oauth2/authresp ##### **SAML Login Failure** ##### **Error:** ##### AADSTS75011 Authentication method mismatch ##### **Resolution:** ##### Disable strict authentication context in the Service Provider configuration.
##### **Metric** ##### **Result**
##### Resolution Time ##### ~45–90 minutes
##### User Impact ##### Users can authenticate using social providers
##### Authentication Method ##### Google, Facebook, Apple, or local account
##### Recurrence Risk ##### Low once identity providers are configured