Choose identity provider based on email address in AD B2C?

Question

I would like to be able to choose which identity provider to use based on the email address entered.

When logging into a Microsoft resource, I'm presented with a login box where I enter my email address. Once it knows my email address, I'm redirected to the sign-in page for the correct identity provider. For example, if I type "[email protected]", I'm redirected to Shell's login page.

Using AD B2C, it's possible to federate authentication to any provider, but the user has to choose which provider to use prior to logging in. This is not nice for a multi-tenanted app using SSO because I either have to provide a button for each tenant, or provide a different url for each tenant. I would like to use a single URL and automatically choose the identity provider based on the email address they type in.

I could possibly build something outside of AD B2C, but is it possible to build something like this within an AD B2C custom policy?

Answer 1

See this custom policy that implements home realm discovery which, based on the e-mail domain that is entered, redirects the end user to their identity provider.

Answer 2

See direct sign-in. You can also tell users to come to your app with some IdP specific code in the url, e.g. https://customer1.app.com and then translate that code into the domain name of the IdP you registered in IEF, and pass the domain_hint in your token request to B2C (an alternative to asking for email).