The process is very much similar to how you set up for Internal Users except that you need to replace with Community URLS .
Lets look at step by step the mechanism to accomplish the same .For simplicity I am taking another winter 17 pre release org as a SP (Service Provider)
Step 1
Set Up a Partner Community in Salesforce(This is your IDP org) .Not going to detail this but should be straight forward
Step 2
Download the Self Signed Certificate from your IDP org .Your IDP org is where you have set up partner community .Navigate to
Setup | Security Controls | Identity Provider
Click on Download Certificate button
You will clearly see for your Partner Community there will be Discovery EndPoint URL .Carefully Note this down as this will be needed by your Service Provider .Also note down the issuer
Step 3
Lets go to the service provider screen .In my example its another salesforce Instance (Winter 17 pre release org ).
Set up | Security Control | Single Sign On Settings
Carefully note two things
1.The issuer was obtained from IDP .
2.The IDP login URL is of one we noted in step 2 from IDP
3.We have uploaded the certificate which we downloaded in previous step
Step 4
Create a Connected App in IDP and allow the partner community profile for the connected app
Carefully note that I have configured ACS URL which was provided by the service provider in previous step
Once your connected app is save and when you click on Detail link of the the Connected App ,for every community you will get an IDP intitated URL
The IDP initiated login URL is what you need to put on a tab or visualforce .You will then see that User is redirected to the SP once user clicks on the IDP initiated URL without having to log into the SP org .
Most of the credit for this answer goes to RJ Hill from MapAnything, who helped me solve this IRL.
The issue was that the Facebook app, by default, does not return the email address of the logged in user. So Salesforce cannot find the existing user, because it requires a First Name, Last Name and Email to lookup existing users.
In order to call the requisite information, the User Info Endpoint URL needs to be updated to the following: https://graph.facebook.com/me?fields=id,name,email,first_name,last_name
Best Answer
I think you'll find the answers to your question in these two posts here on SF.SE: Basic SSO concepts and how Salesforce fits in and SSO with OAuth for Communities. The first post asks questions very close to yours and receives some fairly specific answers that I think you'll find helpful while the second is more general. The resources provided as links are what you'll need to look at to resolve any issues you're having.