I have added Okta as an External Identity in Azure AD using WS-Fed (SAML). This is all working but as it stands the users have to enter their email address twice, one on the Azure AD login screen and the second on the IDP(Okta) login screen, so it's not the best end user experience.
The External IDP(Okta) supports the username being passed as part of the URI string for example: ../sso/[email protected]
I am trying to pass the username as a parameter to "Passive authentication endpoint".
Is it possible to pass a variable as part of the 'Passive authentication endpoint' URL? or is there any other way to pass the login_hint to the IDP(Okta)?
Thanks in advance for any help or suggestions.
Dev
login_hint is a subject field in SAML authN request. Azure AD does not support parsing out user hint from subject claim in the request. So, as of now, Azure AD can use login_hint only when OIDC/OAuth is used.
However, you can use domain_hint with SAML, the SAML authentication request must contain either a domain hint or a query string whr="idp.com"
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/home-realm-discovery-policy#domain-hints