How to autofill username when accesing a SAML SP

Hi,

I have integrated Keycloak with Webex; when users try to login Webex it redirects to my Keycloak login page, but I have to write down the username again (the same username I wrote down at Webex login), is there a way to “autofill” the username box at Keycloak with the one I have provided at the SP (Webex)?

It’s not a big deal, but it’s annoying to my users having to write down the same username twice always.

Thanks

2 Likes

Hello,

I am also very interested in this.

Azure AD / Office 365 sends the following SAML request to Keycloak:
Request URL: https://keycloak.example.com/auth/realms/example/protocol/saml
Request Method: POST
Form data:
- Relaystate: ....
- SAMLRequest: ....
- username: user@example.com

However, the “username” field isn’t being used to prefill the Keycloak login form. Therefore the user has to enter the username twice:

  • Once at the office.com sign-in page so Azure AD known where the redirect the login to;
  • Once at the Keycloak login form.

What I would like is that the username field of the Keycloak login form is automatically filled in.

Any suggestions are welcome.

Kind regards, Don

1 Like

For anyone interested, I implemented this through the nginx reverse proxy by first storing the username in a cookie and then using substitution to insert it as the default value into the login form.

Below is the relevant part of the nginx configuration (specifically: ‘perl_set’, ‘add_header’, ‘sub_filter’, ’ sub_filter_once’):

http {
            perl_set $username '
            sub {
                 my $r = shift;
                 $r->request_body =~ /username=(.*)\%40example.com/;
                 return $1."\@example.com";
            }
            ';

}

location /auth/realms/example/protocol/saml {
proxy_pass http://192.168.1.2:8080;
            proxy_set_header    Host               $host;
            proxy_set_header    X-Real-IP          $remote_addr;
            proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
            proxy_set_header    X-Forwarded-Host   $host;
            proxy_set_header    X-Forwarded-Server $host;
            proxy_set_header    X-Forwarded-Port   $server_port;
            proxy_set_header    X-Forwarded-Proto  $scheme;
            access_log /var/log/nginx/keycloak.access.log;
            error_log /var/log/nginx/keycloak.error.log;

        add_header Set-Cookie "username=$username;Path=/";

}

location /auth/realms/example/login-actions {
proxy_pass http://192.168.1.2:8080;
            proxy_set_header    Host               $host;
            proxy_set_header    X-Real-IP          $remote_addr;
            proxy_set_header    X-Forwarded-For    $proxy_add_x_forwarded_for;
            proxy_set_header    X-Forwarded-Host   $host;
            proxy_set_header    X-Forwarded-Server $host;
            proxy_set_header    X-Forwarded-Port   $server_port;
            proxy_set_header    X-Forwarded-Proto  $scheme;
            access_log /var/log/nginx/keycloak.access.log;
            error_log /var/log/nginx/keycloak.error.log;

            sub_filter 'name="username" value=""' 'name="username" value="$cookie_username"';
            sub_filter_once on;

}
1 Like

Hello @jorgerodriguez,

I have the same problem of writing the username twice, it’s very annoying for the user experience.

By any chance, did you find a way to auto-fill username on keycloak after redirecting from webex?

Best regards,

No aco, sorry, but I didn’t find any answer…

Hi, how you have configured with Webex ? Could you please share some steps please
Thanks

For anybody that is wondering how to prefill the user name at all, you can have a look at these options, when calling .login(): loginHint, idpHint, here:

Hi, I’ve the same problem.
I didn’t understand the part “then using substitution to insert it as the default value into the login form”.
Where do you implemented (or configured) this substitution to prefill username reading cookie?
Thanks in advance for your answer.

Is there anyone have the solution?

I am wondering where the loginHint gets the username? from parameter of URL or from Cookie?

figured out.

append the parameter to url: &login_hint=user1

and ui_locales=li for localization

how do you set the user in the url in the firstplace?