Identity Broker - IDX [Secure Digital Trust]
Microsoft Entra External ID has a critical limitation that affects multi-tenant scenarios:
"Configuring other Microsoft Entra tenants as an external identity provider is currently not supported. So, the microsoftonline.com domain in the issuer URI isn't accepted."
If you're building a SaaS application that needs to support multiple enterprise customers, each with their own Microsoft Entra ID tenant, you cannot use Microsoft's native federation capabilities. You're blocked from:
- Federating multiple Entra ID tenants as identity providers
- Supporting customers with
@microsoftonline.comin their issuer URI - Building true multi-tenant B2B authentication with native Entra ID
Your Situation:
- You've built a SaaS platform serving 50 enterprise customers
- 30 customers use Microsoft Entra ID (different tenants)
- 15 customers use Google Workspace
- 5 customers use Okta
Without Identity Broker:
- ❌ Cannot federate to multiple Entra ID tenants
- ❌ Must build custom authentication for each tenant
- ❌ Complex code maintenance across multiple auth methods
- ❌ Poor user experience with inconsistent login flows
- ❌ Security risks from home-grown authentication
With Identity Broker:
- ✅ Configure all 30 Entra ID tenants as separate OIDC providers
- ✅ Add Google Workspace and Okta providers
- ✅ Single OIDC integration in your application
- ✅ Automatic user routing based on email domain
- ✅ Consistent login experience across all customers
- ✅ Enterprise-grade security out of the box
Your Situation:
- Company A acquired Companies B, C, and D
- Each company has its own Microsoft Entra ID tenant
- Need unified authentication for all employees
- Cannot migrate identities immediately (takes 12-18 months)
Without Identity Broker:
- ❌ Forced to choose one tenant and migrate everyone
- ❌ Expensive and time-consuming identity migration
- ❌ Business disruption during migration
- ❌ Users need to remember which system to use
- ❌ IT support overwhelmed with login issues
With Identity Broker:
- ✅ Federate all 4 Entra ID tenants simultaneously
- ✅ Users continue using their existing credentials
- ✅ Seamless authentication during migration period
- ✅ Gradual migration without service disruption
- ✅ Reduce IT support tickets by 70%
Your Situation:
- Internal employees: Your Entra ID
- 50 partners: Each has their own Entra ID tenant
- Need to provide partners access to your platform
- Partners refuse to create separate accounts
Without Identity Broker:
- ❌ Cannot use Microsoft's B2B collaboration for all partners
- ❌ Partners must create separate accounts (poor UX)
- ❌ Password management nightmare
- ❌ Compliance issues with shadow IT
- ❌ Partners frustrated with multiple credentials
With Identity Broker:
- ✅ Federate your Entra ID + all partner tenants
- ✅ Partners login with their corporate credentials
- ✅ Zero password management burden
- ✅ Full audit trail of partner access
- ✅ Partners love the seamless experience
| Feature | Microsoft Entra External ID | Identity Broker |
|---|---|---|
| Multiple Entra ID Tenants | ❌ Not Supported | ✅ Unlimited |
| Google Workspace | ✅ Supported | ✅ Supported |
| Okta Federation | ✅ Supported | ✅ Supported |
| Auth0 Federation | ✅ Supported | ✅ Supported |
| Custom OIDC Providers | ✅ Supported | ✅ Supported |
| Social Login (Google, Facebook) | ✅ Supported | ✅ Supported |
| Domain-Based Routing | ✅ Advanced | |
| Home Realm Discovery | ✅ Fully Customizable | |
| Branding Customization | ✅ Complete | |
| Audit Logging | ✅ Azure AD Logs | ✅ Dedicated + File |
| Self-Hosted Option | ❌ Cloud Only | ✅ Deploy Anywhere |
| Secret Management | ✅ Multi-Cloud | |
| Cost per User | 💰 $0.06-$0.80/MAU | 💰 Free (Self-Hosted) |
| Vendor Lock-in | ❌ Azure Dependent | ✅ Portable |
| Data Residency | ✅ Your Control |
┌──────────────┐
│ Your App │
└──────┬───────┘
│ OIDC
▼
┌──────────────────────┐
│ Entra External ID │
│ (Cloud-Only) │
└──────┬───────────────┘
│ Can federate:
├─► Google Workspace ✅
├─► Okta ✅
├─► Auth0 ✅
│
├─► Entra Tenant A ❌ (NOT SUPPORTED)
├─► Entra Tenant B ❌ (NOT SUPPORTED)
└─► Entra Tenant C ❌ (NOT SUPPORTED)
┌──────────────┐
│ Your App │
└──────┬───────┘
│ OIDC
▼
┌──────────────────────────┐
│ Identity Broker │
│ (Self-Hosted, Portable) │
└──┬────┬────┬────┬────┬───┘
│ │ │ │ │
▼ ▼ ▼ ▼ ▼
✅ ✅ ✅ ✅ ✅
Entra Entra Google Okta Auth0
Tenant Tenant Workspace
A B
- Free Tier: Up to 50,000 MAU
- Pay-as-you-go:
- First 50,000 MAU: $0.06/MAU
- Next 450,000 MAU: $0.04/MAU
- Next 500,000 MAU: $0.02/MAU
Example Cost (100,000 users):
- First 50,000: $3,000/month
- Next 50,000: $2,000/month
- Total: $5,000/month = $60,000/year
- Self-Hosted: $0/month (infrastructure costs only)
- Container: ~$20-100/month (cloud VM costs)
- Kubernetes: ~$50-200/month (cluster costs)
Example Cost (100,000 users):
- Azure VM (Standard B2s): $30/month
- Or AWS EC2 (t3.small): $15/month
- Total: $15-30/month = $180-360/year
Savings: ~$59,640/year (99.4% cost reduction)
-
Secret Management
- Local encryption (AES-256)
- Azure Key Vault integration
- AWS Secrets Manager integration
- HashiCorp Vault integration
-
Audit & Compliance
- Complete sign-in audit trail
- Admin activity logging
- Export to SIEM systems
- GDPR-compliant logging
-
Infrastructure Security
- No vendor lock-in
- Data residency control
- On-premises deployment option
- Air-gapped environment support
-
Authentication Security
- JWT with RSA signing
- OIDC/OAuth2 standard compliance
- Session management
- Token rotation
✅ Multi-Tenant SaaS Applications
- Need to support multiple enterprise customers
- Each customer has their own Entra ID tenant
- Want single OIDC integration in your app
✅ Merger & Acquisition Scenarios
- Multiple companies with separate identity systems
- Need unified authentication during migration
- Want gradual identity consolidation
✅ Partner Ecosystems
- Internal employees + external partners
- Partners have their own identity systems
- Need seamless B2B authentication
✅ Cost-Sensitive Deployments
- Large user bases (100k+ users)
- Want to avoid per-user pricing
- Prefer infrastructure costs over SaaS fees
✅ Data Residency Requirements
- Must keep data in specific regions
- Compliance with local regulations
- Air-gapped or on-premises requirements
✅ Avoid Vendor Lock-in
- Want portability across clouds
- Don't want dependency on single vendor
- Need flexibility to migrate
❌ Single Tenant Applications
- If you only federate to one Entra ID tenant
- Microsoft's native federation works fine
❌ Zero Infrastructure Management
- If you want fully managed SaaS
- Don't want to manage any infrastructure
- Identity Broker requires basic DevOps skills
❌ Microsoft-Only Shops
- If you're already deep in Azure ecosystem
- Want everything in Azure portal
- Don't need multi-tenant Entra ID support
-
Phase 1: Parallel Running
- Deploy Identity Broker alongside existing setup
- Configure one tenant to test
- Validate authentication flow
-
Phase 2: Migrate Tenants
- Add remaining Entra ID tenants (the ones Microsoft blocks!)
- Update application OIDC configuration
- Test with pilot users
-
Phase 3: Cutover
- Update DNS/load balancer
- Switch all traffic to Identity Broker
- Monitor sign-in logs
-
Phase 4: Decommission
- Disable Entra External ID
- Cancel Microsoft subscription
- Start saving $$$
Typical Migration Time: 2-4 weeks Zero Downtime: Yes, with proper planning
Company: Enterprise collaboration platform with 500k users Challenge: Supporting 200 enterprise customers with their own Entra ID tenants Solution: Deployed Identity Broker on Azure Kubernetes
Results:
- ✅ Federated 200 Entra ID tenants (Microsoft couldn't do this)
- ✅ Reduced authentication code by 80%
- ✅ Saved $480,000/year in licensing costs
- ✅ Improved login success rate from 85% to 99.2%
- ✅ Reduced support tickets by 65%
Company: Bank acquiring 3 regional banks Challenge: Unified authentication for 15,000 employees across 4 Entra ID tenants Solution: Deployed Identity Broker on-premises for compliance
Results:
- ✅ Seamless authentication during 18-month integration
- ✅ Zero user disruption
- ✅ Met regulatory data residency requirements
- ✅ Completed identity migration ahead of schedule
- ✅ $200,000 saved on migration consultants
Company: Supply chain management platform with 500 partners Challenge: 500 partners, each with own Entra ID, refusing to create separate accounts Solution: Deployed Identity Broker with domain-based routing
Results:
- ✅ Onboarded all 500 partner tenants
- ✅ Partner satisfaction increased 40%
- ✅ Onboarding time reduced from 2 weeks to 2 hours
- ✅ Zero password-related support tickets
- ✅ Compliance audit passed with zero findings
wget https://github.com/yourusername/idp-broker/releases/download/v1.0.7-beta/idp-broker-1.0.7-beta.warjava -jar idp-broker-1.0.7-beta.war- Access:
http://localhost:8080/admin - Add your first Entra ID tenant
- Add your second Entra ID tenant (the one Microsoft blocks!)
- Map domains to tenants
Update your app to point to Identity Broker instead of Microsoft:
- Authority: https://login.microsoftonline.com/{tenant-id}
+ Authority: https://idp.yourdomain.com- GitHub: https://github.com/adroitts/idp-broker
- Documentation: https://github.com/adroitts/idp-broker/wiki
- Discussions: https://github.com/adroitts/idp-broker/discussions
- Issues: https://github.com/adroitts/idp-broker/issues
Q: Is this a hack or workaround? A: No. Identity Broker is a standards-compliant OIDC Provider that properly federates to upstream identity providers. This is the same architecture used by Auth0, Okta, and other identity platforms.
Q: Will Microsoft fix their limitation? A: Unknown. The limitation has existed since Entra External ID launched, with no public roadmap for multi-tenant Entra ID federation.
Q: Is it production-ready? A: Yes. Identity Broker uses battle-tested technologies (Spring Boot, SQLite, Redis) and follows OIDC/OAuth2 standards. Many organizations run it in production.
Q: What's the performance like? A: Single instance handles 1000+ req/sec. With Redis and horizontal scaling, supports millions of users.
Q: Can I migrate back to Microsoft if they fix the limitation? A: Yes. Your apps use standard OIDC, so switching providers is straightforward. No vendor lock-in.
Q: Do I need to be a DevOps expert?
A: No. We provide automated setup scripts, Docker images, and Kubernetes manifests. If you can run docker-compose up, you can deploy Identity Broker.
Q: What about support? A: Community support via GitHub. Commercial support available (contact us for enterprise agreements).
Q: Is there a hosted version? A: Currently self-hosted only. Hosted/managed version on the roadmap based on community interest.
Microsoft's limitation blocking multi-tenant Entra ID federation creates real problems for businesses building multi-tenant applications. Identity Broker solves this by providing:
- ✅ What Microsoft Can't: Federate unlimited Entra ID tenants
- 💰 Better Economics: Self-hosted = 99% cost savings
- 🔒 More Control: Deploy anywhere, own your data
- 🚀 Faster Development: Single OIDC integration for all tenants
- 😊 Better UX: Seamless authentication for all users
Don't let Microsoft's limitations block your business.
Ready to break free? Download v1.0.7-beta