Problem statement
we use Auth0 for SSO across several various IDPs in our application. We have noticed that the ADFS Enterprise Connections will pass login_hint to the IdP, but our SAML Enterprise Connections do not. Is this something that can be enabled for SAML?
Solution
Please be aware that this configuration is only known to work with the New Universal Login experience with Identifier First set as the Authentication Profile.
Passing a login hint to a SAML IdP is possible through an implemented template variable @@LoginHint@@. This should be added to the Request Template field of the SAML connection in the Auth0 dashboard.
Example code:
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<NameID>@@LoginHint@@</NameID>
</saml:Subject>
Full request template that works in Auth0 (as SP). Tested and works if Auth0 is IdP:
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
@@AssertServiceURLAndDestination@@
ID="@@ID@@"
IssueInstant="@@IssueInstant@@"
AppName="@@ProviderName@@"
ProtocolBinding="@@ProtocolBinding@@" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@@Issuer@@</saml:Issuer>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<NameID>@@LoginHint@@</NameID>
</saml:Subject>
</samlp:AuthnRequest>