Add domain hint using the whr query parameter for EntraID autehntications

https://learn.microsoft.com/en-us/answers/questions/855476/domain-hint-alternative-for-saml

Author: pmeulen

src/Surfnet/AzureMfa/Application/Service/AzureMfaService.php

@@ -159,6 +159,17 @@ public function createAuthnRequest(User $user, bool $forceAuthn = false): string
         // Create redirect response.
         $query = $authnRequest->buildRequestQuery();
 
+        // For Azure, add a "whr" query parameter with the domain of the user we want to authenticate.
+        if (!$azureMfaIdentityProvider->isAzureAD()) {
+            // EntraID does not accept a Subject like ADFS does, and there is no other way to pass the full user ID.
+            // The Windows home realm hint (whr) parameter can help bypass the Microsoft Account Picker
+            // (Home Realm Discovery) when the user has multiple accounts, thereby improving the user (SSO) experience.
+
+            // Get domain part of the user's email address (UPN) and use that as home realm
+            $domain = $user->getEmailAddress()->getDomain();
+            $query .= '&whr=' . urlencode($domain);
+        }
+
         return sprintf(
             '%s?%s',
             $destination->getUrl(),