Hi,
Is it possible/supported to pass login_hint from Azure B2C using an Azure AD SAML TechnicalProfile to a SAML based Azure AD?
In "[Define a SAML identity provider technical profile in an Azure Active Directory B2C custom policy][1]
" it's suggested to include an InputClaim in the technical profile to send the "subject" PartnerClaim -
<InputClaims>
<InputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="subject" />
</InputClaims>
However, Azure AD's "Single sign-on SAML protocol" says that specifying the "subject" in the AuthnRequest is not supported.
In my testing, adding a login_hint InputClaim doesn't get respected when users are redirected to the AAD login page, prompting them to provide email again
<ClaimsProvider>
<Domain>AAD.SAML.domain</Domain>
<DisplayName>AzureAD_SAML</DisplayName>
<TechnicalProfiles>
<TechnicalProfile Id="AzureAD_SamlTechProfile">
<DisplayName>AzureAD_SAML</DisplayName>
<Metadata>
<Item Key="PartnerEntity">https://login.microsoftonline.com/TenantGUID/federationmetadata/2007-06/federationmetadata.xml</Item>
<Item Key="ClaimTypeOnWhichToEnable">identityProviders</Item>
<Item Key="ClaimValueOnWhichToEnable">AzureAD</Item>
</Metadata>
<InputClaims>
<InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="login_hint"/>
</InputClaims>
<IncludeTechnicalProfile ReferenceId="SAML-SSO-Base"/>
<EnabledForUserJourneys>OnItemExistenceInStringCollectionClaim</EnabledForUserJourneys>
</TechnicalProfile>
</TechnicalProfiles>
</ClaimsProvider>
Referring to the GitHub samples for AAD-OIDC and AAD-SAML2, the login_hint seems to work when using OIDC with AAD, but it's not given as example for the AAD-SAML2 profile.