OIDC login_hint Matching

When configuring and OIDC client, such as a SSO or an OIDC enabled Application, Beyond Identity provides an option to match on login_hint.

When an OIDC client provides a login_hint and this configuration is enabled, Beyond Identity ensures that the username provided by the client matches the username of the user associated with the Beyond Identity passkey used to authenticate.

Without this option enabled, a user is logged in and the user is provided to the OIDC client application by Beyond Identity based on the passkey used to authenticate, regardless of the username entered. 

Enabling this option can reduce the likelihood of any confusion of the user that is logged in with a passkey vs the username that is entered at a login screen of a third party. A mismatch in the username entered and the passkey used results in a message being displayed to the user and the authentication not completing.

In order to confirm that login_hint is provided by the OIDC client application, review the OIDC_INBOUND events in the Beyond Identity Admin Console. 
If this option is enabled with and no login_hint is sent by the third party, the system will default to the user being logged in based on the passkey without also matching the username.