Automatically displaying the user login name for Azure AD B2C, Azure AD and ADFS

I came across some requirements for an application that has a number of different user flows.

One of the requirements was to invoke different IDP depending on the email address that the user was asked to enter on the landing page.

So if the email address was “joe@company.com”, the application would redirect to the company’s ADFS login page whereas if the email address was “joe@gmail.com”, the application would redirect to the company’s B2C login page.

That’s easy to do but the problem is that when the user gets to the login page, they have to enter the email address again. Not a good user experience.

Is there a way to carry the email address over? Turns out there is using “login_hint”.

Note: I have only tested this with OpenID Connect.

So for ADFS, the URL would be:

https://my-adfs44/adfs/oauth2/authorize/?client_id=c3…e45f&redirect_uri=http://help2&response_mode=form_post&response_type=code&scope=openid+profile&nonce=nonce&login_hint=joe@company.com

This results in:

For B2C, the URL would be:

https://my-b2c.b2clogin.com/my-b2c.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1_SignUpSignInV2&client_id=56b…f0d&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.io&scope=openid&response_type=id_token&prompt=login&login_hint=joe@gmail.com

This results in:

Just for completeness, this also works with Azure AD.

The URL would be:

https://login.microsoftonline.com/00d…c79/oauth2/authorize?client_id=d93…125d&redirect_uri=https%3A%2F%2Fjwt.io&response_mode=form_post&response_type=code&scope=openid+profile&nonce=nonce&login_hint=joe@company.com

This results in:

Nice!

All good!