Use Office365 Username for populating IdP login form
Martin Haase
Martin.Haase at DAASI.de
Mon Apr 1 05:30:19 EDT 2019
Hi Peter,
Am 29.03.19 um 12:59 schrieb Peter Schober:
> * Martin Haase <Martin.Haase at DAASI.de> [2019-03-29 11:58]:
>> (I think Azure just looks at the scope of whatever I type). Then, at
>> the IdP, the user has to type her username again. This IdP is
>> configured to accept mail besides sAMAccountName, so it would be
>> convenient to have the username field pre-filled with this mail
>> value. Indeed Azure is sending this username to the IdP, alongside
>> the POSTed AuthNrequest, non-SAML-conformant.
> Given these factors (leaking data to the SP that may be private to the
> IDP;
hmmm. After AuthN, the O365 SP gets the IDPEmail / Username anyway, no?
> note that your suggestion also won't work with IDPs using
> something other than the subject's email as userid during login;
> non-conformant behaviour of the SP for the SAML request) I would
> suggest to instead train subjects to NOT ever enter their username
> into that field, only the domain (same with e.g. Adobe SSO).
> Then try hard to make all subjects access the SP over an IDP-org
> hosted "WAYF-less URL" to avoid this kind of discovery /completely/.
How exactly would this work with MS Office Products that fire up an
embedded browser, even without a URL field?
Cheers
Martin
>
> This should reduce the number of people having to enter anything there
> significantly, and the number of people having to enter their login
> name or email address twice to hopefully a very small percentage.
> (Namely those that don't follow directions.)
>
> -peter
--
Dr. Martin Haase, Solutions Engineer
DAASI International GmbH
Europaplatz 3
D-72072 Tübingen
Germany
phone: +49 7071 407109-0
fax: +49 7071 407109-9
email: martin.haase at daasi.de
web: www.daasi.de
Sitz der Gesellschaft: Tübingen
Registergericht: Amtsgericht Stuttgart, HRB 382175
Geschäftsleitung: Peter Gietz
More information about the users
mailing list