This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 59%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAN%3C/text%3E%3C/svg%3E)
Hi,
Is it possible/supported to pass login_hint from Azure B2C using an Azure AD SAML TechnicalProfile to a SAML based Azure AD?
In "[Define a SAML identity provider technical profile in an Azure Active Directory B2C custom policy][1]" it's suggested to include an InputClaim in the technical profile to send the "subject" PartnerClaim -
<InputClaims>
<InputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="subject" />
</InputClaims>
However, Azure AD's "Single sign-on SAML protocol" says that specifying the "subject" in the AuthnRequest is not supported.
In my testing, adding a login_hint InputClaim doesn't get respected when users are redirected to the AAD login page, prompting them to provide email again
<ClaimsProvider>
<Domain>AAD.SAML.domain</Domain>
<DisplayName>AzureAD_SAML</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AzureAD_SamlTechProfile">
<DisplayName>AzureAD_SAML</DisplayName>
<Metadata>
<Item Key="PartnerEntity">https://login.microsoftonline.com/TenantGUID/federationmetadata/2007-06/federationmetadata.xml</Item>
<Item Key="ClaimTypeOnWhichToEnable">identityProviders</Item>
<Item Key="ClaimValueOnWhichToEnable">AzureAD</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="login_hint"/>
</InputClaims>
<IncludeTechnicalProfile ReferenceId="SAML-SSO-Base"/>
<EnabledForUserJourneys>OnItemExistenceInStringCollectionClaim</EnabledForUserJourneys>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
Referring to the GitHub samples for AAD-OIDC and AAD-SAML2, the login_hint seems to work when using OIDC with AAD, but it's not given as example for the AAD-SAML2 profile.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 20%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hi @Angel Nikolov ,
Thanks for reaching out.
Your understanding is correct here.
login_hint is a subject field in SAML authN request. Azure AD does not support parsing out user hint from subject claim in the request. So, as of now, Azure AD can use login_hint only when OIDC/OAuth is used.
I would suggest you to upvote the idea already suggested in Azure Feedback Portal, which is monitored by the product team for feature enhancements.
However, you can use domain_hint with SAML, the SAML authentication request must contain either a domain hint or a query string whr="idp.com"
Hope this will help.
Thanks,
Shweta
------------------------------------------
Please remember to "Accept Answer" if answer helped you.