Login hint support

Login hints elevate customer experiences by streamlining various aspects of the authentication and registration journeys. They enable seamless sign-in and registration for users by providing contextual information to Strivacity. Whether optimizing the sign-in flow for redirected users, simplifying the registration journey for new customers, or expediting the onboarding process for invited users, login hints allow you to deliver frictionless brand interactions.

📘

Strivacity also supports SAML-based login hints.

OIDC hint

User identification login hint

You can streamline the sign-in experience with login hints when users are redirected from your application or website. In this scenario, Strivacity makes the account selection for the user, so users only have to enter their password or continue with MFA.

Once a user enters their credentials, you can pass a login hint parameter as a JWT token to the login flow containing the user’s identifier. Strivacity’s built-in login hint capability will automatically consume the JWT token at redirection.

📘

Strivacity expects the payload of the user identification login hint in the following format:

{
    "type": "identifier",
    "metadata": {
        "username": "natalie.estevez",
        "email": "[email protected]"
    }
}

Registration login hint

Login hints also allow you to streamline the registration process for users. For example, after you’ve collected a user’s email address or other information on your website, you can pass on that information with a login hint parameter when they are redirected to sign up. This way users don’t have to enter the same information multiple times.

📘

Strivacity expects the payload of the user registration login hint in the following format:

{
  "type": "registration",
  "metadata": {
    "attributes": {
      "name": {
        "givenName": "John",
        "middleName": "Hodor",
        "familyName": "Snow",
        "nickName": "Johnny"
      }
    }
  }
}

How to

JSON Web Tokens (JWTs) are used to deliver the login hint payload from the browser to Strivacity. JWTs are passed from the brand portal to Strivacity via the OIDC authorization endpoint by appending the JWT to the URL query string. Construct the JWT useing a tool of your choice and append it to the authentication call URL:

https://yourdomain.strivacity.com/oauth2/auth?login_hint=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0eXBlIjoib3JnYW5pemF0aW9uIiwib3JnYW5pemF0aW9uIjp7InJvdXRlIjoic2Fhc2lpIn19.

The header and payload part of the encoded JWT string should appear as follows.

📘

Login hint encoded in a JWT token

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0eXBlIjoib3JnYW5pemF0aW9uIiwib3JnYW5pemF0aW9uIjp7InJvdXRlIjoic2Fhc2lpIn19.

🚧

An important dot

Only the header and payload are needed for the login hint. If you include the signature, the organizational login hint will NOT work. Please make sure to always include the . character at the end of your JWT string right after the payload.

SAML hint

SAML assertion

Strivacity supports SAML-based customization of user authentication. Strivacity as an SAML provider can accept login hints containing user information in the form of Subject.NameID, similar to how the login_hint parameter is used in OIDC.

Your brand portal can include the user’s Subject.NameID in the SAML AuthRequest sent to Strivacity’s authorization endpoint. Strivacity then consumes the request and authenticates the user by issuing a SAML assertion.

Strivacity expects the SAML AuthRequest in the following format:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="12345" Version="2.0" IssueInstant="2024-03-04T12:00:00Z" Destination="https://saml-provider.com/authn">
  saml:Issuer<https://yourbrandportal.io</saml:Issuer>>
  <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/>
  samlp:Subject
    <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[email protected]</saml:NameID>
  </samlp:Subject>
</samlp:AuthnRequest>