The Burden of Federated Authentication
If you’ve ever had the pleasure to hear me rant on web access management then you know I like to stress the difference between authentication and authorization. Authentication is the process of ...
Published May 23, 2016
Version 1.0
Cody_Green
Employee
Employee
I’ve never seen it done inside the SAML AuthN request unfortunately, though there may be something out there and would be interested if anyone knows of one. Part of the reason is unfortunately very few IdP’s would have the capability of leveraging the identity information even if it were sent by the SP.
Office 365 did it outside the SAML AuthN request by including the email address entered as part of their referer header. It was only there for a few months though and may have been an accidental feature that happened as a result of changes to their javascript based redirects around that time. Obviously leveraging something like that outside the SAML request is difficult to impossible in most IdPs, but only took about 10 minutes to do with an iRule and VPE on Big-IP. Even though it won't work for O365 anymore perhaps there are other solutions it could be leveraged for, I'll publish it on DevCentral.