User1737548044369577033 (Customer) asked a question.
Hello community,
Use case: We have an application that uses okta for SSO with SAML2.0. The authentication flow is:
The application (original SP) sends a SAML auth request to okta, including the username in the SAML subject. Okta, based on the routing rules, forward this request to an external IDP, which authenticates the user via a security/hardware key.
Problem:
The username from the original SP's SAML authrequest does not appears to be forwarded to the external IDP by okta. As a result, the user has to enter their username again at the external IDP, which we want to avoid.
Questions:
a) How can we configure Okta to preserve and forward the username from the orignal SAML authrequest to the external IDP?
b) What are the best practises or configuration steps within okta to ensure the username is correctly passed through?
c) Are there specific logs or debugging tools inn Okta that can help us trace and ensure the username attribute is managed properly?
Current configuration:
a) The original SP sends the username in the SAML subject to okta.
b) Okta applies routing rules to forward the request to an external idp.
c) The external idp requires re-entry of the username for authentication via security key.
Any detailed guidance on achieving this would be greatly appreciated. Thank you!!!
Hi @User1737548044369577033 (Customer) , Thank you for reaching out to the Okta Community!
I have not been able to find any conclusive indication that this use case is supported.
Something similar seems to have been discussed in an older Developer post.
I would also expect this to be dependent on the username mapping matching for the app, Okta and the external IDP.
You can check the Okta System Logs to see if the authentication attempt with the IDP fails or if it just does not get passed along.
The Okta Community Questions forum isn't really meant for in-depth troubleshooting.
If you have an account with us and are a SuperAdmin/Case Admin, please open a case to work with my colleagues from the Support Team to investigate this further. They'll be able to access additional tools and resources to help you get to the bottom of it.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Join the discussion for Ask Me Anything on February 4, 2025: Advancements in Okta’s On-Prem Directory Integrations
I think what you are looking for is an attribute called "LoginHint" or "login_hint". I'm not finding exact documentation on which one and how exactly to pass it from Okta to an external IDP but it sounds like that could be what you are missing. Take a look at the following links and see if they provide you some clues.
https://devforum.okta.com/t/passing-username-to-external-idp-in-uri/19894
https://developer.okta.com/docs/concepts/saml/#understanding-sp-initiated-sign-in-flow
@MatthewH.10249 (State of Iowa) My usecase is for SAML app not OIDC based app, from okta docs i could see login_hint parameter is for OIDC apps. Please correct if my understanding is wrong.
I've never done this so cannot say for sure but the accepted answer in the following post that I previously shared indicates SAML was being used. They mention "LoginHint" so perhaps "login_hint" is OIDC and "LoginHint" is SAML.
https://devforum.okta.com/t/passing-username-to-external-idp-in-uri/19894
Probably an easy test would be for you to add "LoginHint" as a custom "Attribute Statements" under the "SAML Settings" found on the "General" tab of your Okta app and see what happens.