WebApp Authentication with Social IDPs (Google, Facebook & Apple ID)

Field	Details
Document Type	Runbook / How-To Guide
Applies To	Microsoft Entra ID External Identities (CIAM), Social Identity Providers (Google, Facebook, Apple), Third-party Web Applications
Audience	Systems Administrators / Identity Engineers / 2nd Line Support
Author	AK. Udofeh
Last Updated	March 2026

Overview

This guide documents how to integrate Social Identity Providers (Google, Facebook, and Apple) with a SAML-based web application for authentication using Microsoft Entra ID External Identities and Customer Identity & Access Management (CIAM). The configuration allows users to authenticate using social accounts while Microsoft Entra acts as the identity broker and issues a SAML assertion to the third-party or line-of-business (LOB) web application.

The process involves creating an external tenant, registering social identity providers, creating a user flow, configuring a SAML enterprise application, and updating the application configuration.

The Issue

Organisations often require users to authenticate using Social Identities (e.g. Google or Facebook) while maintaining a centralised identity broker for security and policy enforcement.

Without a configured identity broker:

Applications must integrate individually with each social provider.
Identity attributes are inconsistent between providers.
Access control and auditing become difficult to manage.

Basic authentication methods such as:

Local application accounts
Direct OAuth integration within the application

do not provide centralised identity management or federation capabilities.

Using Microsoft Entra External Identities resolves this by brokering authentication from social providers and issuing a standard SAML assertion to the application.

Context

Modern applications often require authentication from multiple identity providers while maintaining centralised access control.

Without a broker, the authentication flow typically looks like this:

User
  ↓
Application
  ↓
Direct OAuth with Google/Facebook

This causes several issues:

Applications must implement provider-specific authentication logic
Identity attributes differ between providers
Access control cannot be centrally enforced

Using Microsoft Entra External Identities introduces an identity broker layer:

User
  ↓
Google / Facebook / Apple
  ↓  (OAuth / OIDC)
Microsoft Entra External Tenant (CIAM)
  ↓  (User Flow)
Enterprise Application (SAML)
  ↓
Flask Web Application

In this architecture:

Before You Start

Check	Where
External tenant created	Microsoft Entra admin centre
Azure subscription linked	Tenant creation wizard
Google Developer Console account	console.cloud.google.com
Meta Developer account	developers.facebook.com
Apple Developer account (optional)	developer.apple.com
SAML web application deployed	Flask service
Service Provider metadata configured	`settings.json`

Implementation Steps (Per Environment)

Phase 1 - Create External Tenant

https://entra.microsoft.com

Navigate to:

Microsoft Entra ID> Overview> Manage Tenants

Click:

Create> External

Enter the tenant details:

Tenant Name: <Your tenant name>
Domain Name: <Your domain name>
Location: Europe or Africa
Subscription: Azure subscription

Click:

Review + Create> Create

Provisioning may take up to 30 minutes.

Switch to the new tenant:

Settings> Directories + Subscriptions> Switch

Phase 2 - Add Social Identity Providers

Navigate to:

External Identities
> All Identity Providers

Integrate with Google Identity Provider

Step 1: Configure Google OAuth

Visit: https://console.cloud.google.com/

In Google Cloud Console:

APIs & Services
> Credentials
> OAuth2 Client ID

Fill in the Name of the Webapp

Add the Authorized redirect URI:

https://<tenant-subdomain>.ciamlogin.com/<tenant-subdomain>.onmicrosoft.com/federation/oauth2

Copy the following values and keep is save

> Client ID
> Client Secret

Step 2: Register Google as Idp in Entra ID

In Entra ID (Ext tenant directory) navigate to:

External Identities
> All Identity Providers

Enter:

Client ID
Client Secret

Click:

Save

Integrate with Facebook Identity Provider

Step 1: Create Meta Developer App

Visit to:

https://developers.facebook.com

Select:

My Apps > Create App

Choose:

Authenticate and request data from users with Facebook Login

Select platform:

Web

Add redirect URI:

https://<tenant-subdomain>.ciamlogin.com/<tenant-subdomain>.onmicrosoft.com/federation/oauth2

In App Settings > Basic, copy:

App ID
App Secret

Add application domain:

<your domain here> (e.g: example.com)

Without adding the domain, Facebook login will fail with: "Can't load URL — domain isn't included in the app's domains"

Switch the application to:

Live Mode

Step 2: Register Facebook Idp in Entra ID

In Entra ID (Ext tenant directory) navigate to:

External Identities
> All Identity Providers
> + Facebook

Enter:

App ID
App Secret

Click:

Save

Integrate with Apple Identity Provider

Prerequisite: ● An active Apple Developer Account (Paid membership).

Step 1: Configure Apple Developer Portal

Navigate to:

https://developer.apple.com

Create an App ID with:

Sign in with Apple enabled

Create a Services ID

Example:

com.example.samllab

Configure redirect URI:

https://<tenant-subdomain>.ciamlogin.com/<tenant-subdomain>.onmicrosoft.com/federation/oauth2

Download:

.p8 private key

Record:

Key ID
Team ID

Step 2: Register Apple Idp in Entra ID

In Entra ID (Ext tenant directory) navigate to:

External Identities
> All Identity Providers
> + Apple

Configure:

Client ID: Your Apple services ID
Apple developer team ID: Your Apple Team ID here
Key ID: Your Apple Key ID here
Client Secret: Upload the .p8 key file here

Phase 3: Create a User Flow

In Entra ID (Ext tenant directory) navigate to:

External Identities
> User Flows
> + New User Flow

Configure:

Name: (e.g) PilotApp-Auth-via-Socials

Enable identity providers:

Email with Password
Google
Facebook

Select attributes:

Display Name
Email Address
Given Name
Surname

Click:

Create

Phase 4: Register the SAML Application in Entra ID Ext Tenant directory

Navigate to:

Enterprise Applications
> New Application
> Create Your Own Application

Name:

My PilotApp with Socials Idp

Select:

Integrate any other application you don't find in the gallery

Configure SAML

Navigate to:

Single Sign-On
> SAML

Configure:

Identifier (Entity ID)

https://mypilot-app.example.com

Reply URL (ACS)

https://mypilot-app.example.com/acs

Configure Attributes & Claims

Map attributes:

Claim	Value
givenname	user.givenname
surname	user.surname
emailaddress	user.mail

Obtain Federation Metadata

Download:

Federation Metadata XML

Extract:

IdP Entity ID
SSO URL
Signing Certificate

In Entra ID Ext Tenant Directory Link the Application to the User Flow

Navigate to:

External Identities
> User Flows
> saml_lab_signin
> Applications

Click: Add Application

Select: <The Enterprise App you want to integrate>

Phase 5: Update Third-party or LOB App that you want to integrate with Socials IDP

Replace workforce tenant values with the external tenant values.

# External Tenant Configuration

SAML_IDP_ENTITY_ID=https://<external-tenant-id>.ciamlogin.com/<external-tenant-id>/
SAML_IDP_SSO_URL=https://<tenant-name>.ciamlogin.com/<tenant-name>.onmicrosoft.com/saml2
SAML_IDP_X509CERT=<base64-certificate>

Save the configuration.

The application will now authenticate users through the External Tenant user flow.

--------------------------------- Troubleshooting -----------------------------------

Facebook - Domain Not Included in App Domains

Error:

`Can't load URL The domain of this URL isn't included in the app's domains`

Resolution:

Add the application domain in:

Meta Developer Console
> App Settings
> Basic
> App Domains

Facebook - Invalid Scopes Email

Error:

`Invalid Scopes: email`

Resolution:

Add the permission:

Permissions and Features
> email

Google - Redirect URI Mismatch

Error:

`redirect_uri_mismatch`

Resolution:

Ensure the redirect URI in Google Console matches:

https://.ciamlogin.com/.onmicrosoft.com/oauth2/authresp

Error:

AADSTS75011 Authentication method mismatch

Resolution:

Disable strict authentication context in the Service Provider configuration.

Metric	Result
Resolution Time	~45–90 minutes
User Impact	Users can authenticate using social providers
Authentication Method	Google, Facebook, Apple, or local account
Recurrence Risk	Low once identity providers are configured

WebApp Authentication with Social IDPs (Google, Facebook & Apple ID)

Field

Details

Document Type

Runbook / How-To Guide

Applies To

Microsoft Entra ID External Identities (CIAM), Social Identity Providers (Google, Facebook, Apple), Third-party Web Applications

Audience

Systems Administrators / Identity Engineers / 2nd Line Support

Author

AK. Udofeh

Last Updated

March 2026

Overview

The process involves creating an external tenant, registering social identity providers, creating a user flow, configuring a SAML enterprise application, and updating the application configuration.

The Issue

Organisations often require users to authenticate using Social Identities (e.g. Google or Facebook) while maintaining a centralised identity broker for security and policy enforcement.

Without a configured identity broker:

Applications must integrate individually with each social provider.

Identity attributes are inconsistent between providers.

Access control and auditing become difficult to manage.

Basic authentication methods such as:

Local application accounts

Direct OAuth integration within the application

do not provide centralised identity management or federation capabilities.

Using Microsoft Entra External Identities resolves this by brokering authentication from social providers and issuing a standard SAML assertion to the application.

Context

Modern applications often require authentication from multiple identity providers while maintaining centralised access control.

Without a broker, the authentication flow typically looks like this:

This causes several issues:

Applications must implement provider-specific authentication logic

Identity attributes differ between providers

Access control cannot be centrally enforced

Using Microsoft Entra External Identities introduces an identity broker layer:

In this architecture:

Social providers authenticate the user.

Entra External Identities brokers the authentication.

A SAML assertion is issued to the web application.

Before You Start

Check

Where

External tenant created

Microsoft Entra admin centre

Azure subscription linked

Tenant creation wizard

Google Developer Console account

console.cloud.google.com

Meta Developer account

developers.facebook.com

Apple Developer account (optional)

developer.apple.com

SAML web application deployed

Flask service

Service Provider metadata configured

settings.json

Implementation Steps (Per Environment)

Phase 1 - Create External Tenant

Step 1: Sign in to the Microsoft Entra admin centre:

https://entra.microsoft.com

Navigate to:

Click:

Enter the tenant details:

Tenant Name: <Your tenant name>

Domain Name: <Your domain name>

Location: Europe or Africa

Subscription: Azure subscription

Click:

Provisioning may take up to 30 minutes.

Switch to the new tenant:

Phase 2 - Add Social Identity Providers

Navigate to:

Integrate with Google Identity Provider

Step 1: Configure Google OAuth

Visit: https://console.cloud.google.com/

In Google Cloud Console:

Fill in the Name of the Webapp

Add the Authorized redirect URI:

Step 2: Register Google as Idp in Entra ID

In Entra ID (Ext tenant directory) navigate to:

Enter:

`settings.json`

`Can't load URL The domain of this URL isn't included in the app's domains`

Meta Developer Console
> App Settings
> Basic
> App Domains