Enforce user name for SP-initated login to AD/ADFS (SAML)

FS 21 Reputation points
2021-02-11T08:26:11.517+00:00

I am configuring SAML 2.0 federation from a 3rd party IdP to various AD and ADFS instances. The user enters their email address on the login page of the 3rd party IdP, which then decides, based on the email domain, to which AD or ADFS instance to federate the login request to. This works fine, but we have the need to not just pre-fill the email address on the AD/ADFS login page (which can be achieved via login_hint or username parameters), but to prevent the user from changing the email address once they are on the federated IdP.

In other words, the user should only be able to enter the email address once on the 3rd party IdP, and then be asked for the credentials (password, MFA) by the federated IdP (AD/ADFS).

From my reading, the SAML 2.0 standard does not support this, nor have I been able to find a request parameter that could be passed in addition to the SAMLRequest to AD/ADFS.

Is this something that's possible, or can somebody say with confidence that this is simply not supported?

Thanks in advance.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,240 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,181 Reputation points Microsoft Employee
    2021-02-12T13:48:29.073+00:00

    You could use some javascript bits here. And grey out the username field if that's specified in a query string in the URL. But then the user could change the URL. So that's really to avoid user mistake, and has no security value.

    If you want to try this out, you can refer to the following documenation on how to modify the OnLoad.js JavaScript of the ADFS pages:
    https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/advanced-customization-of-ad-fs-sign-in-pages

    Maybe something like this:

    var checkField = document.getElementById('userNameInput') ;  
    if ( checkField ) {  
       if( window.location.href.indexOf('login_hint=') != -1 ) {  
          checkField.readOnly = true;  
       }  
    }  
      
    

    I did not test this, and you should probably do some additional tests like in case the login_hint is empty etc...


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.