<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">
<div class="">Hello FastFed Working Group,</div>
<div class=""><br class="">
</div>
<div class="">The SAML 2.0 Web SSO profile unfortunately doesn’t define a prescriptive pattern for flowing the user identifier from the Service Provider to the Identity Provider during SP-init SSO resulting in the poor UX for the end-user having to type their
identifier twice. This is very common interaction with SaaS and would love to see us take advantage of profiling SAML 2.0 with FastFed to define this pattern. OpenID Connect defines this pattern with the <span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: CourierNewPSMT; font-size: 13.333333015441895px; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);" class="">login_hint </span>parameter.
Some SAML implementations have carried this parameter over from OIDC to SAML.</div>
<div class=""><br class="">
</div>
<div class="">I am proposing we add the following to the FastFed Profile for SAML 2.0. I used SAML Pascal Case naming convention for the parameter and not the OIDC snake_case convention.</div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class=""><dt class="" style="color: rgb(0, 0, 0); font-family: verdana, charcoal, helvetica, arial, sans-serif; font-size: small; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);">
LoginHint (OPTIONAL)</dt><dd class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: ProximaNova-Regular; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);">
<font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class="">Hint to the Identity Provider about the login identifier the End-User might use to log in (if necessary). This hint can be used by a SP if it first asks the End-User
for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered Identity Provider. It is RECOMMENDED that the hint value match the value used for discovery. The use of this parameter is left to the Identity Provider's
discretion. </font></dd><dd class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: ProximaNova-Regular; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);">
<font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class=""><br class="">
</font></dd><dd class="" style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: ProximaNova-Regular; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);">
<font color="#000000" face="verdana, charcoal, helvetica, arial, sans-serif" size="2" class="">This parameter must be encoded using binding-specific encoding rules such as a URL-safe query parameter for the HTTP Redirect Binding or HTML form-encoded parameter
for the HTTP POST Binding. The LoginHint MUST not be included in request signature for</font><span style="font-family: verdana, charcoal, helvetica, arial, sans-serif; font-size: small;" class=""> the HTTP Redirect Binding</span></dd><dd class="" style="color: rgb(0, 0, 0); font-family: verdana, charcoal, helvetica, arial, sans-serif; font-size: small; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);">
<br class="">
</dd><dd class="" style="color: rgb(0, 0, 0); font-family: verdana, charcoal, helvetica, arial, sans-serif; font-size: small; font-variant-ligatures: normal; orphans: 2; widows: 2; background-color: rgb(255, 255, 255);">
The Identity Provider MUST ignore the LoginHint parameter if the SAML Authentication Request message contains a <span class="" style="font-family: CourierNewPSMT; font-size: 13.333333015441895px;"><Subject> </span>with an identifier and process the request
message according to the SAML 2.0 Authentication Request Protocol</dd></div>
<div class=""><br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Example</div>
<div class="">
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">
<o:p class=""> </o:p></div>
<table class="MsoTableGrid" border="1" cellspacing="0" cellpadding="0" style="caret-color: rgb(0, 0, 0); font-family: ProximaNova-Regular; background-color: rgb(255, 255, 207); border-collapse: collapse; border: none;">
<tbody class="">
<tr class="">
<td width="617" valign="top" style="width: 463.1pt; border: 1pt solid windowtext; padding: 0in 5.4pt;" class="">
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 10pt;" class=""><br class="">
<span style="color: black;" class="">HTTP/1.1 302 Found</span><o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<span style="font-size: 10pt; color: black;" class="">Location <a href="http://idp.example.com/SAML?LoginHint=darinm%40amazon.com&SAMLRequest=" style="color: purple;" class="">http://idp.example.com/SAML?</a><b class=""><a href="http://idp.example.com/SAML?LoginHint=darinm%40amazon.com&SAMLRequest=" style="color: purple;" class="">LoginHint=darinm%40amazon.com</a></b><a href="http://idp.example.com/SAML?LoginHint=darinm%40amazon.com&SAMLRequest=" style="color: purple;" class="">&SAMLRequest=</a>...</span><span style="font-size: 9pt; font-family: Courier;" class=""><o:p class=""></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;" class="">
<o:p class=""> </o:p></div>
</td>
</tr>
</tbody>
</table>
<div class=""><br class="">
</div>
Thanks,</div>
<div class="">Karl<br class="">
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class="">
<o:p class=""> </o:p></div>
</div>
</body>
</html>