Login Hints | SAML2P Documentation

Login hints can be a helpful way for a Service Provider (SP) to influence the user login experience. For this purpose, the SAML protocol defines an optional property called Subject that can be sent in an authentication request by the SP. The Subject property specifies information, such as the NameId of the user. You may choose to use this information to autofill the login page. Therefore, the Subject property can be treated the same as OpenID Connect's login_hint parameter.

Here's an example SAML authentication request with the Subject element.

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
  ID="_24ab5de2147f4a2cac075880a90a5ce8"
  Version="2.0"
  IssueInstant="2022-08-25T14:15:53Z"
  Destination="https://local.idp/sso">
  <saml2:Issuer>https://local.sp</saml2:Issuer>
  <saml2:Subject>
    <saml2:NameID>bob</saml2:NameID>
  </saml2:Subject>
</saml2p:AuthnRequest>

Handling the Requested Subject

By default, we will store the requested subject in the request context, which can be accessed using the GetRequestContext method on the SAML interaction service, ISamlInteractionService. You can use the subject to populate the login view model. This example shows that the NameId is used as the username. However, you may choose to perform additional logic here.

private async Task<LoginViewModel> BuildLoginViewModelAsync(string returnUrl)
{
    var samlContext = await samlInteractionService.GetRequestContext(returnUrl);

    return new LoginViewModel
    {
        ReturnUrl = returnUrl,
        Username = samlContext?.RequestedSubject.NameId.Value
    };
}

Previous Next