-
Notifications
You must be signed in to change notification settings - Fork 253
Federated Credentials from other Identity Providers
Bogdan Gavril edited this page Dec 1, 2025
·
4 revisions
Federated Identity Credentials provide a way to avoid managing secrets or certificate credentials. In this case, the credential is issued by another OIDC compliant Identity Provider (IdP). The federated identity credential creates a trust relationship between an application and an external IdP.
This avoids having to manage an extra credential for Entra. You still have to manage a credential in the external IdP.
See the Entra docs for how to set this up.
- In the appsettings.json that Microsoft.Identity.Web uses, you declare a separate section in your config for the external IdP.
{
"$schema": "https://raw.githubusercontent.com/AzureAD/microsoft-identity-web/refs/heads/master/JsonSchemas/microsoft-identity-web.json",
"AzureAD": {
"Instance": "https://login.microsoftonline.com/",
"TenantId": "Entra_tenent_id",
"ClientId": "Entra_client_id",
"ClientCredentials": [
{
"SourceType": "CustomSignedAssertion",
"CustomSignedAssertionProviderName": "OidcIdpSignedAssertion",
"TokenExchangeUrl": "api://AzureADTokenExchange", // the audience of the federated credential, for EntraID it is different on each cloud
"CustomSignedAssertionProviderData": {
"ConfigurationSection": "CredentialSection" // reference to the section below
}
}
]
},
"CredentialSection": {
"Instance": "https://login.microsoftonline.us/" // Use Instance + TenantID for EntraID and "Authority" for other Identity Providers
"TenantId": "Entra_tenent_id"
"ClientId": "external_idp_client_id",
"ClientCredentials": [ // the other IdP still needs a credential
{
"SourceType": "StoreWithDistinguishedName",
"CertificateStorePath": "CurrentUser/My",
"CertificateDistinguishedName": "CN=my_cert_cn"
}
]
}
}
- Add a reference to Microsoft.Identity.Web.OidcFIC
- Inject the new credential
TokenAcquirerFactoryTesting.ResetTokenAcquirerFactoryInTest();
TokenAcquirerFactory tokenAcquirerFactory = TokenAcquirerFactory.GetDefaultInstance();
+ tokenAcquirerFactory.Services.AddOidcFic();- Get the authroization header or call downstream APIs as usual
For a setup that uses Entra-to-Entra, see this integration test.
For a code-only setup, see this test.
- Home
- Why use Microsoft Identity Web?
- Web apps
- Web APIs
- Minimal support for .NET FW Classic
- Logging
- Azure AD B2C limitations
- Samples
- Certificates
- Managed Identity as Federated Credential
- Federated Credentials from other Identity Provider
- Extensibility: Bring your own credential
- Get client secrets from KeyVault
- Web apps
- Web app samples
- Web app template
- Call an API from a web app
- Managing incremental consent and conditional access
- Web app troubleshooting
- Deploy to App Services Linux containers or with proxies
- SameSite cookies
- Hybrid SPA
- Web APIs
- Web API samples
- Web API template
- Call an API from a web API
- Token Decryption
- Web API troubleshooting
- web API protected by ACLs instead of app roles
- gRPC apps
- Azure Functions
- Long running processes in web APIs
- Authorization policies
- Generic API
- Customization
- Logging
- Calling graph with specific scopes/tenant
- Multiple Authentication Schemes
- Utility classes
- Setting FIC+MSI
- Mixing web app and web API
- Deploying to Azure App Services
- Azure AD B2C issuer claim support
- Performance
- specify Microsoft Graph scopes and app-permissions
- Integrate with Azure App Services authentication
- Ajax calls and incremental consent and conditional access
- Back channel proxys
- Client capabilities