azuresingle-sign-onsustainsys-saml2

How to specify a particular user to authenticate during SAML authentication (SustainSys)


Another dumb SSO-newbie question, but after lots of searching the answer eludes me. We're using the SustainSys SAML2 library (the Http Module version with .NET Framework). When we want to initiate an auth request to the idP we redirect to /Saml2/SignIn and specify the idP parameter on the URL and everything works fine.

My question is: is there a way to send a specific username that we want to log in as during the Auth request? When our clients go to sign in, we just prompt them for their username and use that to detect which idP to send them to. But if I type in "user2@mycompany.com" when I'm already signed in to the idP as "user1@mycompany.com", the idP will just redirect me right back to our website as an already-authenticated user (user1). Is it possible to change that so the idP is requested to authenticate as a specific user? Based on something I saw during my search I tried adding "&username=" to the SignIn URL but it had no effect.

In case it matters, Azure (Entra) is being used for the idP.


Solution

  • Unfortunately, there is no supported way in SAML to specify which user should authenticate during the login. Even if you pass a specific username or try to use a Subject element, Azure AD will simply use the active session and sign in the user who is already authenticated.

    Azure AD also does not support reading a login_hint from the SAML AuthnRequest or from query parameters. That capability is only available in OAuth2 or OpenID Connect flows, not SAML.

    The only supported way to prompt Azure to show the login screen again is by using the ForceAuthn flag. This instructs Azure to re-authenticate the user, even if a session already exists. In SustainSys, you can do this in code like this:

    var request = new Saml2AuthenticationRequest(config)
    {
        ForceAuthentication = true 
    };
    

    Or if you’re manually crafting the XML:

    <samlp:AuthnRequest  ForceAuthn="true"  ... >
    

    This is the correct and supported method to bypass the current session and allow the user to enter a different account.

    Reference: Microsoft Docs – SAML AuthnRequest