Using ADFS as IdP - would like to pass the email address from custom login form and have it pre-populated in ADFS.
26 views
Skip to first unread message
Mark
Nov 17, 2017, 10:53:48 AM11/17/17
to SimpleSAMLphp
What are you trying to do?
I have an application which requires SSO capabilities with a corporate ADFS server. I currently have this ADFS server configured and working with my application.
However, when the user enters their email address in our app's sign-in page, and we redirect them to ADFS, I would like to have that same email address pre-populated in the ADFS sign-on page. I have seen this working with other applications like Office365 and the users email was passed as a GET parameter in the URL. How can this be configured in simplesamlphp?
What have you done?
I have tried to find examples of this by searching online, and haven't found a solution as of yet.
Is there anything wrong?
No, SSO for my application is working. I would just like to pre-populate the users email address on the ADFS server to make things a bit easier for them.
No, SSO for my application is working. I would just like to pre-populate the users email address on the ADFS server to make things a bit easier for them.
Peter Schober
Nov 18, 2017, 8:20:38 AM11/18/17
to SimpleSAMLphp
* Mark <drabb...@gmail.com> [2017-11-17 16:53]:
https://discovery.refeds.org/
> and we redirect them to ADFS, I would like to have that same email
> address pre-populated in the ADFS sign-on page. I have seen this
> working with other applications like Office365 and the users email
> was passed as a GET parameter in the URL. How can this be
> configured in simplesamlphp?
If the SP is SimpleSAMLphp and the protocol to use between the SP and
the IDP is SAML 2.0 then it's not allowed by the spec to pass
arbitrary parameters with the SAML 2.0 authentication request, AFAIR.
(If the spec isn't clear you can ask for guidance on the saml-dev list
provided by OASIS.)
The only spec-legal way to send "other stuff" is by creating an
extension within the SAML authentication request and of course
modifying the RP (here the ADFS IDP, so good luck with that) to pull
the data out of the extension.
-peter
> However, when the user enters their email address in our app's
> sign-in page
FWIW, NISO recommends a different approach, cf.
> sign-in page
https://discovery.refeds.org/
> and we redirect them to ADFS, I would like to have that same email
> address pre-populated in the ADFS sign-on page. I have seen this
> working with other applications like Office365 and the users email
> was passed as a GET parameter in the URL. How can this be
> configured in simplesamlphp?
the IDP is SAML 2.0 then it's not allowed by the spec to pass
arbitrary parameters with the SAML 2.0 authentication request, AFAIR.
(If the spec isn't clear you can ask for guidance on the saml-dev list
provided by OASIS.)
The only spec-legal way to send "other stuff" is by creating an
extension within the SAML authentication request and of course
modifying the RP (here the ADFS IDP, so good luck with that) to pull
the data out of the extension.
-peter
Reply all
Reply to author
Forward
0 new messages