[Openid-specs-fastfed] FastFed Profile for SAML 2.0 LoginHint Proposal
Karl McGuinness
kmcguinness at okta.com
Tue Feb 25 16:47:02 UTC 2020
Hello FastFed Working Group,
The SAML 2.0 Web SSO profile unfortunately doesn’t define a prescriptive pattern for flowing the user identifier from the Service Provider to the Identity Provider during SP-init SSO resulting in the poor UX for the end-user having to type their identifier twice. This is very common interaction with SaaS and would love to see us take advantage of profiling SAML 2.0 with FastFed to define this pattern. OpenID Connect defines this pattern with the login_hint parameter. Some SAML implementations have carried this parameter over from OIDC to SAML.
I am proposing we add the following to the FastFed Profile for SAML 2.0. I used SAML Pascal Case naming convention for the parameter and not the OIDC snake_case convention.
LoginHint (OPTIONAL)
Hint to the Identity Provider about the login identifier the End-User might use to log in (if necessary). This hint can be used by a SP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered Identity Provider. It is RECOMMENDED that the hint value match the value used for discovery. The use of this parameter is left to the Identity Provider's discretion.
This parameter must be encoded using binding-specific encoding rules such as a URL-safe query parameter for the HTTP Redirect Binding or HTML form-encoded parameter for the HTTP POST Binding. The LoginHint MUST not be included in request signature for the HTTP Redirect Binding
The Identity Provider MUST ignore the LoginHint parameter if the SAML Authentication Request message contains a <Subject> with an identifier and process the request message according to the SAML 2.0 Authentication Request Protocol
Example
HTTP/1.1 302 Found
Location http://idp.example.com/SAML?<http://idp.example.com/SAML?LoginHint=darinm%40amazon.com&SAMLRequest=>LoginHint=darinm%40amazon.com<http://idp.example.com/SAML?LoginHint=darinm%40amazon.com&SAMLRequest=>&SAMLRequest=<http://idp.example.com/SAML?LoginHint=darinm%40amazon.com&SAMLRequest=>...
Thanks,
Karl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20200225/131eb96d/attachment.html>
More information about the Openid-specs-fastfed
mailing list