How does Azure AD identify the Principal from a SSO AuthnRequest?

The AuthnRequest is a browser redirect to the Azure IdP. The Azure IdP doesn't know who the user is either. So it displays an Azure login screen in the browser. The user then logs in to Azure (now Azure knows who the user is) and the Azure IdP redirects the browser to the AssertionConsumerService (ACS) URL of the SP with the SAML AuthnResponse from the IdP identifying the user.

The next time the user's browser is redirected to the Azure IdP by an AuthnRequest, Azure looks at the cookies and knows the user has already authenticated and immediately redirects the browser back to the ACS with the SAML AuthnResponse.

The AttributeStatement in the AuthnResponse identifies the user if the IdP has agreed to release personally identifying information about the user to that SP.

Of course, if the user does not have an account in Azure they cannot login. Azure will know who they are from their login information, which is usually their userPrincipalName, which looks like [email protected].

As the comment suggests, the username can be in the AuthnRequest but this is not often used. The SP should not ask for the username as the username "belongs" to the user (although ultimately it "belongs" to the IdP) and the IdP may not be willing to release that information to the SP. If the SP doesn't need to know who the user is, just that they have permission to access the service, then username is irrelevant. Permissions are often granted based on the Attribute set in the AttributeStatement and this can be done without the SP ever needing to know the username of the user.

If the SP supports personalisation, such as preferences for a user, not knowing the username isn't an issue. A SAML attribute such as eduPersonTargetedID can be released by the IdP that has the same value for that combination of IdP/SP (to stop cross-service tracking) and the SP can use that to store preferences for the user without ever needing to know the username.

A common way of using SAML is to replace a username/password login screen with the SAML flow:

  • user goes to https://app.com
  • app sees the user isn't authenticated (no cookie, session or whatever). This is when a non SAML app displays a login screen.
  • app redirects user to their IdP. Easy in the case of a single IdP. app does not use Subject in AuthnRequest.
  • user's IdP displays the login screen for the IdP.
  • user authenticates at IdP
  • IdP redirects browser to the app's ACS URL.
  • app inspects SAMLResponse, looks at the Attribute set and decides whether the user (still possibly anonymous) can get access.
  • if, e.g. user has an Attribute "eduPersonEntitlement" with a value "http://app.com/entitled" then app creates a session for the user and "logs them in" to app.
  • when user's session at app expires, app sends them back to their IdP to see if they are still entitled to access the app.