how to get login_hint working with social IDP using custom policy

Question

We are using custom SignIn/SigUp Policy, configured Facebook, LinkedIn, Twitter, Google+ as Social IDP's.

We have built a custom page where we ask the user for their email and then redirect them to the particular IDP page (we have logic built around this) using domain_hint, for example: domain_hint=facebook.com.

I want to pass the email address entered by the user in the first step in login_hint along with domain_hint so that the user doesn't have to enter the email once again when redirected to the IDP Page (Facebook.com).

I took the code from the AD B2C documentation for IDP's and added as below in claims provider for Facebook, Linkedin, Twitter etc. which is not working

<InputClaims>
    <InputClaim ClaimTypeReferenceId="logonIdentifier" PartnerClaimType="login_hint" DefaultValue="{OIDC:LoginHint}" />
</InputClaims>
<OutputClaims>
    <OutputClaim ClaimTypeReferenceId="logonIdentifier" Required="true" />
</OutputClaims>

Is there a way/option to achieve this?

score 4 · Accepted Answer · answered Mar 26 '18 at 21:07

For the above identity providers, Google is the only one that supports a login hint, so if you add the domain_hint and login_hint parameters to the Azure AD B2C request:

https://login.microsoftonline.com/te/<tenant>/<policy>/oauth2/v2.0/authorize?...&domain_hint=google.com&login_hint=someone@somewhere.com

then you can pass the "login_hint" parameter through from Azure AD B2C to the Google endpoint as follows:

1) Create a "loginHint" claim type:

<ClaimType Id="loginHint">
  <DisplayName>Login Hint</DisplayName>
  <DataType>string</DataType>
</ClaimType>

2) Add the "loginHint" input claim to the Google technical profile:

<ClaimsProvider>
  <Domain>google.com</Domain>
  <DisplayName>Google Account</DisplayName>
  <TechnicalProfiles>
    <TechnicalProfile Id="GoogleAccount-OAuth2">
      <DisplayName>Google Account</DisplayName>
      <Protocol Name="OAuth2" />
      ...
      <InputClaims>
        <InputClaim ClaimTypeReferenceId="loginHint" PartnerClaimType="login_hint" DefaultValue="{OIDC:LoginHint}" />
      </InputClaims>
      ...
    </TechnicalProfile>
  </TechnicalProfiles>
</ClaimsProvider>

Chris, thank you for the response. Is there any other way/workaround I can achieve the same functionality for facebook, linkedin, twitter? Your suggested code is working for Google. — Lucky, Mar 27 '18 at 14:43
Facebook and LinkedIn don't provide an input parameter, such as `login_hint` or similar, to pass the login identifier to them. Twitter does provide the `screen_name` parameter at [the `GET oauth/authenticate` endpoint](https://developer.twitter.com/en/docs/basics/authentication/api-reference/authenticate) which might work for you. — Chris Padgett, Mar 28 '18 at 22:05

score 0 · Answer 2 · edited Jun 20 '20 at 09:12

0

See this PDF: Targeting a sign-in user or domain name using login and domain hint

Using Login hint in custom policy.

To prepopulate the sign-in name, in your custom policy, override the SelfAsserted-LocalAccountSignin-Email technical profile. In the section, you set the signInName's claim's DefaultValue to {OIDC:LoginHint}. The {OIDC:LoginHint} variable contains the value of the login_hint parameter. Azure AD B2C reads the signInName input claim's value, and pre-populates the signInName textbox

edited Jun 20 '20 at 09:12

Community

1
1

answered Mar 23 '18 at 19:58

spottedmahn

14,823
13
108
178

1

I have the above suggested code working for LocalAccount as mentioned in this post https://stackoverflow.com/questions/46811325/how-do-i-include-email-in-the-redirect-to-azure-ad-b2c/46930938#46930938. I want the same to be working for the social IDPs – Lucky Mar 23 '18 at 21:18

how to get login_hint working with social IDP using custom policy

2 Answers2

Linked