In this SAML SSO flow,Customer have two IDPs: one is OpenAM and the other is AzureAD. To achieve this, Customer is using IDP Proxy Layer, which is also an OpenAM server to determine which IDP we need to send SAML request to.
For now, Customer have completed the SAML SSO progress and it is working. However, Customer do not want users to input usernames when they need to get authenticated by Azure AD because they have already input username once on the Proxy Layer.
For Azure AD, Customer have found a parameter called login_hint which can automatically pass the username to the Azure AD and users only need to input passwords. However, Customer need to add it behind the login URL of Azure AD and change the value of the value for different usernames.
For OpenAM, if Customer import AzureAD as remote IDP, the only part which customer can add the login_hint value to the Login URL of AzureAD is:
Application->SAML->Entity Provider(Azure AD)
>Services>Single SignOn Service
However, Customer cannot dynamically change the configuration in the OpenAM console. Customer have found the position in the IDPProxyUtil.class of openam-federation-library that can add login_hint on. In line 193:
destination = endpoint.getLocation() + "/?login_hint=USERNAME";
The destination parameter will be the login URL that OpenAM send SAML request to and then USERNAME will be shown on the login page of AzureAD.
Now, customer want to figure out how to dynamically pass the username into this "destination" parameter.
RFE request: ForgeRock provide some Enhancement on this so that the login_hint feature can be suited for OpenAM structure and that will be an improvement of user experience.