[Openid-specs-fastfed] FastFed Profile for SAML 2.0 LoginHint Proposal

McAdams, Darin darinm at amazon.com
Wed Feb 26 04:08:27 UTC 2020


Group - this looks straightforward and helpful, so unless anyone has comments, will fold into the spec.

From: Openid-specs-fastfed <openid-specs-fastfed-bounces at lists.openid.net> on behalf of Openid-specs-fastfed <openid-specs-fastfed at lists.openid.net>
Reply-To: Karl McGuinness <kmcguinness at okta.com>
Date: Tuesday, February 25, 2020 at 8:48 AM
To: Openid-specs-fastfed <openid-specs-fastfed at lists.openid.net>
Subject: [Openid-specs-fastfed] FastFed Profile for SAML 2.0 LoginHint Proposal

Hello FastFed Working Group,

The SAML 2.0 Web SSO profile unfortunately doesn’t define a prescriptive pattern for flowing the user identifier from the Service Provider to the Identity Provider during SP-init SSO resulting in the poor UX for the end-user having to type their identifier twice.   This is very common interaction with SaaS and would love to see us take advantage of profiling SAML 2.0 with FastFed to define this pattern.   OpenID Connect defines this pattern with the login_hint parameter.  Some SAML implementations have carried this parameter over from OIDC to SAML.

I am proposing we add the following to the FastFed Profile for SAML 2.0.  I used SAML Pascal Case naming convention for the parameter and not the OIDC snake_case convention.


LoginHint (OPTIONAL)
Hint to the Identity Provider about the login identifier the End-User might use to log in (if necessary). This hint can be used by a SP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered Identity Provider. It is RECOMMENDED that the hint value match the value used for discovery.  The use of this parameter is left to the Identity Provider's discretion.

This parameter must be encoded using binding-specific encoding rules such as a URL-safe query parameter for the HTTP Redirect Binding or HTML form-encoded parameter for the HTTP POST Binding. The LoginHint MUST not be included in request signature for the HTTP Redirect Binding

The Identity Provider MUST ignore the LoginHint parameter if the SAML Authentication Request message contains a <Subject> with an identifier and process the request message according to the SAML 2.0 Authentication Request Protocol


Example


HTTP/1.1 302 Found
Location http://idp.example.com/SAML?<http://idp.example.com/SAML?LoginHint=darinm%40amazon.com&SAMLRequest=>LoginHint=darinm%40amazon.com<http://idp.example.com/SAML?LoginHint=darinm%40amazon.com&SAMLRequest=>&SAMLRequest=<http://idp.example.com/SAML?LoginHint=darinm%40amazon.com&SAMLRequest=>...



Thanks,
Karl

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20200226/c3266890/attachment.html>


More information about the Openid-specs-fastfed mailing list