Problem

I use the IdP Selection by Email (see here) and I want to use the entered email to prefill the email at my identity provider. How can I do this?


Limitations

This feature is available for OpenId Connect-based identity providers. For SAML2 configurations, the feature is available for Microsoft Entra/Azure, ADFS, and Okta.


Technical background


OpenId Connect and SAML2 both specify an optional mechanism to pass email addresses/usernames to identity providers to pre-fill login forms. While all tested OpenId Connect-based identity providers implement the feature, none of the SAML2-based based do. However, there are non-standard ways to pass the information to the identity providers, thus we only support Microsoft Entra/Azure, ADFS, and Okta for SAML2 configurations.

Prerequisites

You must use the IdP Selection by Email - otherwise, there is no email to pass to the identity provider. Please see here to learn how to configure this.

Solution

Starting with SAML SSO 6.9.0, we allow passing the entered email to the identity provider. As a result, the users will only need to enter their password for the login. To configure this, please continue reading.


  1. Go to the SAML SSO app configuration.
  2. On the identity provider configuration, click Send Email as Login Hint to Identity Provider.



  3. For new configurations, the Login Hint Parameter Name will be pre-filled. For existing configurations, you will find the needed parameter name below or the red validation message in the app.

    For OpenId connect configurations, the Login Hint Parameter Name is always login_hint - for SAML2 configurations, please see the table below.

    IdP NameLogin Hint Parameter Name for SAML2
    Microsoft Entra/Azurelogin_hint
    ADFSlogin_hint
    OktaLoginHint

    For OpenID Connect configurations, the Login Hint Parameter Name is always login_hint.




  4. Save the configuration.