Merge pull request #213 from OpenConext/add-azure-domain-hint

Add azure/entra domain hint using "whr" query parameter

Author: pmeulen

src/Surfnet/AzureMfa/Application/Service/AzureMfaService.php

@@ -159,6 +159,17 @@ public function createAuthnRequest(User $user, bool $forceAuthn = false): string
         // Create redirect response.
         $query = $authnRequest->buildRequestQuery();
 
+        // For Azure, add a "whr" query parameter with the domain of the user we want to authenticate.
+        if ($azureMfaIdentityProvider->isAzureAD()) {
+            // EntraID does not accept a Subject like ADFS does, and there is no other way to pass the full user ID.
+            // The Windows home realm hint (whr) parameter can help bypass the Microsoft Account Picker
+            // (Home Realm Discovery) when the user has multiple accounts, thereby improving the user (SSO) experience.
+
+            // Get domain part of the user's email address (UPN) and use that as home realm
+            $domain = $user->getEmailAddress()->getDomain();
+            $query .= '&whr=' . urlencode($domain);
+        }
+
         return sprintf(
             '%s?%s',
             $destination->getUrl(),