AaronG.41962 (Customer) asked a question.
We have a federated Okta SAML2 SSO setup with multiple customer IdPs and a hub Okta instance which handles all authentication for our App. So it looks like this:
IdP1, IdP2, … <—> Okta <—> App
In our Service Provider initiated flow, an unauthenticated user navigates directly to App and is asked for their email address in order for App to determine if they authenticate with the above SSO flow or a standard username/password flow. If the user is indeed an SSO user, we are trying to avoid having the user enter their email address a second time.
Best we have it at the moment is we kick off the SP-initiated flow by sending a SAML2 AuthNRequest from App to Okta with the user's email address in the `login_hint` query parameter. Okta looks up the appropriate IdP for this user based on the domain of their email address in its configured identity provider routing rules. Okta then sends a new SAML2 AuthNRequest to the IdP where the user finally logs in, but does NOT re-include the `login_hint` parameter in the request.
The net result of this is that, even for IdP's which support the `login_hint` parameter (Okta, EntraId,...), the user must re-enter their email address at the IdP.
Is there a way to get Okta to proxy the `login_hint` parameter in its AuthNRequest to the IdP? Or is there another way to approach this problem?
Hello @AaronG.41962 (Customer) Thank you for posting on our Community page!
Unfortunately, at this time there is no direct administrative setting in the Okta Admin Console to instruct the Okta Hub to automatically re-include the login_hint as a query parameter on the SAML request to a federated IdP.
However you can add an Idea on our Idea section for a possibility to add this functionality in the future.
https://ideas.okta.com/
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.