Prefill the user name
There are several ways that you can allow the user name on the login screen to be filled automatically:
-
Remember me setting on the login page
Remember me
Instruct your users to use the Remember me on this device option. This option sets a browser cookie and skips entering the user name.
The user needs to set up this option at least once on every device that they use to access a resource.
Kerberos ticket
In Active Directory integrated environments, when Integrated Windows Authentication (Kerberos) authentication is allowed in a policy, a Kerberos ticket can prefill the user name or auto-submit to the next step.
This option requires some browser settings that should be published via a software configuration system or group policies. Kerberos is treated as a substitute for entering a password in STA access policies.
Custom SAML request attribute
For some SAML applications that are integrated with STA, you can use a custom SAML request attribute to preset and submit the user name.
You need to enable functionality on the SAML application in STA, using the Enforce User Name setting. Only some of the SAML applications that you can select on the Applications page include this option.
You also need to modify the SAML request to include the requested user name. This is a custom implementation, because SAML doesn't specify a standard. You need to validate this custom implementation with the SAML service provider to determine if including the user name is possible.
The following example shows a SAML request that includes the requested user name:
<samlp:AuthnRequest Destination="https://idp1.cryptocard.com/idp/profile/SAML2/Redirect/SSO"
Version="2.0" IssueInstant="2016-02-24T15:45:55.325Z"
ID="ID112bf5b0e4169930b663f2d89e62c521fc2f1b8133598fa2ff"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://saml-service-provider.com/safenet/640d3755-e080-4a87-8f7f-91795e78c08d</saml:Issuer>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">jdoe@mysecureauthentication.com</saml:NameID>
</saml:Subject>
</samlp:AuthnRequest>
OIDC login_hint
Any OIDC application that contains a login_hint in the request prefills the user name. You don't need to enable this functionality separately.
http://sasidp.com:9209/auth/realms/DFCYFPHYYN-STA/protocol/openid-connect/auth?response_type=code&client_id=OIDC_client&redirect_uri=https%3A%2F%2Fdemo.c2id.com%2Foidc-client%2Fcb&scope=openid+email&state=XvcK8RPWyxmXqhTX4nhiIdwRhprdmPAwW0efkoU-5AA&nonce=0nAmahzcyIXOF_1XnIg3bLlZvsyFBdCUpa_ZwU9xbIw&display=popup&login_hint=user_name