Use Office365 Username for populating IdP login form

Martin Haase Martin.Haase at
Mon Apr 1 05:30:19 EDT 2019

Hi Peter,

Am 29.03.19 um 12:59 schrieb Peter Schober:
> * Martin Haase <Martin.Haase at> [2019-03-29 11:58]:
>> (I think Azure just looks at the scope of whatever I type). Then, at
>> the IdP, the user has to type her username again. This IdP is
>> configured to accept mail besides sAMAccountName, so it would be
>> convenient to have the username field pre-filled with this mail
>> value. Indeed Azure is sending this username to the IdP, alongside
>> the POSTed AuthNrequest, non-SAML-conformant.
> Given these factors (leaking data to the SP that may be private to the
> IDP;
hmmm. After AuthN, the O365 SP gets the IDPEmail / Username anyway, no?
>  note that your suggestion also won't work with IDPs using
> something other than the subject's email as userid during login;
> non-conformant behaviour of the SP for the SAML request) I would
> suggest to instead train subjects to NOT ever enter their username
> into that field, only the domain (same with e.g. Adobe SSO).
> Then try hard to make all subjects access the SP over an IDP-org
> hosted "WAYF-less URL" to avoid this kind of discovery /completely/.

How exactly would this work with MS Office Products that fire up an
embedded browser, even without a URL field?



> This should reduce the number of people having to enter anything there
> significantly, and the number of people having to enter their login
> name or email address twice to hopefully a very small percentage.
> (Namely those that don't follow directions.)
> -peter

Dr. Martin Haase, Solutions Engineer

DAASI International GmbH        
Europaplatz 3                   
D-72072 Tübingen                

phone: +49 7071 407109-0
fax:   +49 7071 407109-9  
email: martin.haase at

Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz

More information about the users mailing list