Share via

Pass login_hint from Azure B2C to Azure AD SAML TechnicalProfile

Angel Nikolov 61 Reputation points
2022-11-07T12:57:33.057+00:00

Hi,

Is it possible/supported to pass login_hint from Azure B2C using an Azure AD SAML TechnicalProfile to a SAML based Azure AD?

In "[Define a SAML identity provider technical profile in an Azure Active Directory B2C custom policy][1]" it's suggested to include an InputClaim in the technical profile to send the "subject" PartnerClaim - 

<InputClaims>  
	<InputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="subject" />  
</InputClaims>

However, Azure AD's "Single sign-on SAML protocol" says that specifying the "subject" in the AuthnRequest is not supported.

In my testing, adding a login_hint InputClaim doesn't get respected when users are redirected to the AAD login page, prompting them to provide email again 

<ClaimsProvider>  
    <Domain>AAD.SAML.domain</Domain>  
    <DisplayName>AzureAD_SAML</DisplayName>  
    <TechnicalProfiles>  
        <TechnicalProfile Id="AzureAD_SamlTechProfile">  
            <DisplayName>AzureAD_SAML</DisplayName>  
            <Metadata>  
                <Item Key="PartnerEntity">https://login.microsoftonline.com/TenantGUID/federationmetadata/2007-06/federationmetadata.xml</Item>  
                <Item Key="ClaimTypeOnWhichToEnable">identityProviders</Item>  
                <Item Key="ClaimValueOnWhichToEnable">AzureAD</Item>  
            </Metadata>  
            <InputClaims>  
                <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="login_hint"/>  
            </InputClaims>  
            <IncludeTechnicalProfile ReferenceId="SAML-SSO-Base"/>  
            <EnabledForUserJourneys>OnItemExistenceInStringCollectionClaim</EnabledForUserJourneys>  
        </TechnicalProfile>  
    </TechnicalProfiles>  
</ClaimsProvider>

Referring to the GitHub samples for AAD-OIDC and AAD-SAML2, the login_hint seems to work when using OIDC with AAD, but it's not given as example for the AAD-SAML2 profile.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. Shweta Mathur 30,426 Reputation points Microsoft Employee Moderator
    2022-11-10T07:40:46.037+00:00

    Hi @Angel Nikolov ,

    Thanks for reaching out.

    Your understanding is correct here.

    login_hint is a subject field in SAML authN request. Azure AD does not support parsing out user hint from subject claim in the request. So, as of now, Azure AD can use login_hint only when OIDC/OAuth is used.

    I would suggest you to upvote the idea already suggested in Azure Feedback Portal, which is monitored by the product team for feature enhancements.

    However, you can use domain_hint with SAML, the SAML authentication request must contain either a domain hint or a query string whr="idp.com"

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/home-realm-discovery-policy#domain-hints

    Hope this will help.

    Thanks,
    Shweta

    ------------------------------------------

    Please remember to "Accept Answer" if answer helped you.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.