question

DisplayName-3010 avatar image
0 Votes"
DisplayName-3010 asked amanpreetsingh-msft edited

Domain_hint alternative for saml

Hello,

For a direct Login with OpenID Connect the domain_hint can be used to select the provider. Is there a similar option for a SAML flow to directly select the provider?

azure-ad-b2c
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft edited

Hi @DisplayName-3010 • Thank you for reaching out.

To use Domain Hint in SAML, the SAML authentication request must contain either a domain hint or a query string whr=example.com"

To include the domain hint in the SAML request, you should use the Scoping XML node, and include a single entry IDPEntry under the IDPList (at this time, only the first IDPEntry node is used by Azure AD). Here’s an example of what the request would look like with “example.com” as the domain name hint:

 <samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="iddeb9381bc15e4fd6a253b97205d47c6f" Version="2.0" IssueInstant="2015-02-26T18:57:06.4772751Z" IsPassive="false" AssertionConsumerServiceURL="https://www.authnauthz.com/saml/inboundauthnresponse" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
      <saml:Issuer>https://www.authnauthz.com</saml:Issuer>
           <samlp:Scoping>
                <samlp:IDPList>
                     <samlp:IDPEntry ProviderID="https://example.com" Name=”example.com”/>
                </samlp:IDPList>
           </samlp:Scoping>
 </samlp:AuthnRequest>


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.