Last Updated: Jul 25, 2025
Overview
This article explains how to pass the login_hint parameter to a Security Assertion Markup Language (SAML) Identity Provider (IdP). In a Single Sign-On (SSO) environment, SAML Enterprise Connections do not pass this parameter by default.
Applies To
- login_hint
- New Universal Login
- Identifier First
- SAML Enterprise Connections
Solution
Prerequisite: This configuration is confirmed to work only with the New Universal Login experience when the Authentication Profile is set to Identifier First.
To pass a login_hint to a SAML IdP, modify the Request Template field for the SAML connection in the Auth0 dashboard. Add the @@LoginHint@@ template variable inside the saml:Subject element of the request template.
Example Snippet:
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<NameID>@@LoginHint@@</NameID>
</saml:Subject>
The following is a full request template provided for reference. It is confirmed to work when Auth0 is the IdP.
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
@@AssertServiceURLAndDestination@@
ID="@@ID@@"
IssueInstant="@@IssueInstant@@"
AppName="@@ProviderName@@"
ProtocolBinding="@@ProtocolBinding@@" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@@Issuer@@</saml:Issuer>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<NameID>@@LoginHint@@</NameID>
</saml:Subject>
</samlp:AuthnRequest>