Login hints can be a helpful way for a Service Provider (SP) to influence the user login experience.
For this purpose, the SAML protocol defines an optional property called Subject
that can be sent in an authentication request by the SP.
The Subject
property specifies information, such as the NameId
of the user.
You may choose to use this information to autofill the login page.
Therefore, the Subject
property can be treated the same as OpenID Connect's login_hint
parameter.
Here's an example SAML authentication request with the Subject
element.
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_24ab5de2147f4a2cac075880a90a5ce8"
Version="2.0"
IssueInstant="2022-08-25T14:15:53Z"
Destination="https://local.idp/sso">
<saml2:Issuer>https://local.sp</saml2:Issuer>
<saml2:Subject>
<saml2:NameID>bob</saml2:NameID>
</saml2:Subject>
</saml2p:AuthnRequest>
Handling the Requested Subject
By default, we will store the requested subject in the request context, which can be accessed using the GetRequestContext
method on the SAML interaction service, ISamlInteractionService
.
You can use the subject to populate the login view model.
This example shows that the NameId is used as the username. However, you may choose to perform additional logic here.
private async Task<LoginViewModel> BuildLoginViewModelAsync(string returnUrl)
{
var samlContext = await samlInteractionService.GetRequestContext(returnUrl);
return new LoginViewModel
{
ReturnUrl = returnUrl,
Username = samlContext?.RequestedSubject.NameId.Value
};
}