send Subject in SAML login flow

Cantor, Scott cantor.2 at
Fri Jan 14 14:24:37 UTC 2022

On 1/14/22, 6:04 AM, "users on behalf of Ignacio Amoeiro Bosch" <users-bounces at on behalf of ignacio.amoeiro at> wrote:

>    For this we want to use the SAML login flow, but we want to know if posible to add in the AuthRequest  the
> already authenticated subject in the authn/Password Flow. So they don't need to ask again for the UserID. Is
> this achievable?

There is no support for populating the Subject element in a request. Technically that is close to the semantic that the element has in SAML, but it isn't used properly by any SAML IdPs other than Shibboleth so we do not facilitate the misuse of the standard by sending it. If we identified a situation where it wouldn't be misused we might consider it.

My impression is that the majority of solutions relying on SAML proxying for MFA do it by handling all of the factors, not just one of them. You offload authentication to them in total.

-- Scott

More information about the users mailing list