Pass login_hint from Azure B2C to Azure AD SAML TechnicalProfile

Angel Nikolov 61 Reputation points
2022-11-07T12:57:33.057+00:00

Hi,

Is it possible/supported to pass login_hint from Azure B2C using an Azure AD SAML TechnicalProfile to a SAML based Azure AD?

In "[Define a SAML identity provider technical profile in an Azure Active Directory B2C custom policy][1]" it's suggested to include an InputClaim in the technical profile to send the "subject" PartnerClaim -

<InputClaims>  
	<InputClaim ClaimTypeReferenceId="issuerUserId" PartnerClaimType="subject" />  
</InputClaims>  

However, Azure AD's "Single sign-on SAML protocol" says that specifying the "subject" in the AuthnRequest is not supported.

In my testing, adding a login_hint InputClaim doesn't get respected when users are redirected to the AAD login page, prompting them to provide email again

<ClaimsProvider>  
    <Domain>AAD.SAML.domain</Domain>  
    <DisplayName>AzureAD_SAML</DisplayName>  
    <TechnicalProfiles>  
        <TechnicalProfile Id="AzureAD_SamlTechProfile">  
            <DisplayName>AzureAD_SAML</DisplayName>  
            <Metadata>  
                <Item Key="PartnerEntity">https://login.microsoftonline.com/TenantGUID/federationmetadata/2007-06/federationmetadata.xml</Item>  
                <Item Key="ClaimTypeOnWhichToEnable">identityProviders</Item>  
                <Item Key="ClaimValueOnWhichToEnable">AzureAD</Item>  
            </Metadata>  
            <InputClaims>  
                <InputClaim ClaimTypeReferenceId="signInName" PartnerClaimType="login_hint"/>  
            </InputClaims>  
            <IncludeTechnicalProfile ReferenceId="SAML-SSO-Base"/>  
            <EnabledForUserJourneys>OnItemExistenceInStringCollectionClaim</EnabledForUserJourneys>  
        </TechnicalProfile>  
    </TechnicalProfiles>  
</ClaimsProvider>  
  

Referring to the GitHub samples for AAD-OIDC and AAD-SAML2, the login_hint seems to work when using OIDC with AAD, but it's not given as example for the AAD-SAML2 profile.

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,722 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,185 questions
0 comments No comments
{count} votes

Accepted answer
  1. Shweta Mathur 29,006 Reputation points Microsoft Employee
    2022-11-10T07:40:46.037+00:00

    Hi @Angel Nikolov ,

    Thanks for reaching out.

    Your understanding is correct here.

    login_hint is a subject field in SAML authN request. Azure AD does not support parsing out user hint from subject claim in the request. So, as of now, Azure AD can use login_hint only when OIDC/OAuth is used.

    I would suggest you to upvote the idea already suggested in Azure Feedback Portal, which is monitored by the product team for feature enhancements.

    However, you can use domain_hint with SAML, the SAML authentication request must contain either a domain hint or a query string whr="idp.com"

    Reference: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/home-realm-discovery-policy#domain-hints

    Hope this will help.

    Thanks,
    Shweta

    ------------------------------------------

    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments

0 additional answers

Sort by: Most helpful