How to pass login_hint from azure ad to WS-Fed external identities(okta)

Question

I have added Okta as an External Identity using WS-Fed(SAML). This is all working but as it stands the users have to enter their email address twice, one on the Azure AD login screen and the second on the IDP(Okta) login screen, so its not the best end user experience.

The External IDP supports the username being passed as part of the URI string for example;
/sso/saml?login_hint=example@reazaaa .com

Is it possible to pass a variable as part of the 'Passive authentication endpoint' URL?
If so how to get the username entered by the user and pass through the URL to the IDP?

Thanks in advance for any help or suggestions.

Dev

Answer 1

Hi @Dev User ,

Thanks for reaching out.

login_hint is a subject field in SAML authN request. Azure AD does not support parsing out user hint from subject claim in the request. So, as of now, Azure AD can use login_hint only when OIDC/OAuth is used.

I would suggest you post this idea at the Azure Feedback Portal, which is monitored by the product team for feature enhancements.

However, you can use domain_hint with SAML, the SAML authentication request must contain either a domain hint or a query string whr="idp.com"

Reference: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/home-realm-discovery-policy#domain-hints

Hope this will help.

Thanks,
Shweta

-------------------------------------------

Please remember to "Accept Answer" if answer helped you.