Problem statement
We are setting up a new ADFS enterprise connection. Upon redirect to the enterprise ADFS login page, the login hint is supplied to the ADFS provider. The client has asked: “Our ADFS does not permit the user to use their email address to login. Thus, we need to remove the login hint.”
Is there a way to prevent passing the login hint to the ADFS provider, or to prevent the ADFS provider from using it?
Solution
Auth0 passes the login_hint parameter to the upstream IdP provider, and this cannot be changed at the moment, and you can submit Product Feedback on our Community page to add more weight and visibility to the request. Here is the link you can use: Feedback - Auth0 Community.
In the meantime, if you display the ADFS connections as a button (instead of waiting for the user to enter their email), this parameter will not be sent.
Alternatively, you can prevent ‘login_hint’ from being sent by aliasing it to another parameter name, as exemplified here:
https://auth0.com/docs/authenticate/identity-providers/pass-parameters-to-idps#example-twitter
Per the example, you can set the following ‘upstream_params’:
{ "screen_name": { "alias": "login_hint" } }
This will result in the 'login_hint ’ value being passed in the 'screen_name ’ parameter instead, and therefore no 'login_hint ’ parameter will be sent to the IdP. The only issue with this approach is that it still sends a parameter, so you should set it to something the IdP will ignore.