There are several unanswered questions on this from some time ago, so I hope there is a positive update on this in 2025…
I have a very standard Application configured, with the SAML IDP enabled in the Addons of this application. I have configured this to using “Identifier First” in the Authentication Profile, and have not modified the .
This works well to authenticate SAML service providers for everything except using login_hint to pre-populate the email address, meaning in a SP initiated flow, the user is required to enter their email address twice (which is unacceptable from a UX perspective).
How can I configure this SAML IDP to correctly retrieve and pre-populate the email address from the login_hint parameter?
In order to pass a login_hint to a SAML IdP, you would need to modify the Request Template field for the SAML connection in the Auth0 dashboard.
Could you please try adding the @@LoginHint@@ template variable inside the saml:Subject element of the request template.? It should look something like this:
Sorry if I wasn’t clear. I don’t have an external SAML IDP, I am using Auth0 as the SAML IDP. Configured through Application → Addons → SAML2 WEB APP.
This behaves correctly to operate as a SAML identity provider in every way except that when the SP collects the email address on it’s login form, then redirects to the SAML IDP with login_hintset as a URL parameter. When Auth0 the redirects to /u/login/identifier the login_hint is discarded and not prefilled.
My service provider is redirecting the client to the Auth0 hosted SAML IDP as follows:
It is then redirected (by Auth0) to /u/login/identifier?state=STATE
The Auth0 login form then presents the user with an empty email address field, which is terrible for user experience… other SaaS based IDPs prefill this automatically, so I’m wondering why Auth0 doesn’t? It’s a very simple but incredibly common and useful behaviour…
How can this login_hint be propagated to the backend for this prefilling to occur?
@nik.baleca ok I think after spending some more time on this I can see the issue.
I don’t actually want/need Auth0 to act as a SAML SP, which is where I was getting confused. I can prefill the email by modifying the generated SAML Request from a test application without going through all the “Enterprise Connection” procedures (which I found a bit confusing when searching your documentation about why I would need to do that for my use case).
The confusion arises because several large IDPs seem to have now removed support for the “Subject” in the SAML Request in favour of the login_hint URL parameter. Entra ID and Google for example.
Since this has been asked quite a few times over the last few years, I’m assuming Auth0 would not consider implementing the login_hint for SAML IDP in the same way as Entra ID/Google? It’s difficult trying to integrate SPs with different IDPs when they all behave slightly differently on the IDP side!
Sorry for replying so late to your last post regarding the topic.
Thanks for all the additional information on the matter. Indeed, login_hint is now preferred by most IdPs instead of the Subject inside the SAML Request, that was an oversight from my part. However, if a SAML connection is not implemented using an Enterprise Connection.
In this situation, if the specific IdPs do not support the specific SAML Request configuration, then the login_hint might not forward as intended unfortunately. I would highly recommend in this situation to submit a feedback topic regarding having the SAML Add-on or connection support passing in the login_hint parameter inside the URL.