I was recently setting up Office 365 w/ SAML federation and one of the things you lose when doing SAML (as oppose to WS-Trust/WS-Fed) is the auto-populating of the user's login ID on the NAM login page. So when a user goes to say outlook.office.com, enters their login/UPN, and then gets redirected to the IdP, they have to enter their login ID a second time. That was always one of the tradeoffs of dong SAML vs. WS-FED/WS-TRUST.
So I was just recently watching the SAML process using SAML tracer and I noticed in the POST from Microsoft, besides the SAMLRequest and the RelayState, they also include the username in that POST to /saml2/sso.
My question is, is there any safe way to consume the username and pre-populate the login box like you can for WS-FED/WS-Trust? Even if it is possible to grab, does this raise security concerns (e.g. XSS attacks) since it is outside the SAML spec (I assume it's outside the spec, maybe it is not?).