SSO sign-in flow when using login hints

Google as an IdP supports the login hint parameter to simplify sign-in for users when they perform service provider (SP)-initiated sign-ins. When login hints are present, the Google authentication server uses the hint to:

  • Prefill the email field: The authentication server prefills the email address in the sign-in form, saving the user a step.
  • Enable direct login: If the user associated with the hint already has an active session with Google, the server automatically signs them in, providing a seamless experience.

Requirements for the service provider

If your application knows the identity of the user who's attempting to sign in, it can include the login hint parameter (login_hint) in the HTTP request to the SSO URL. The value of login_hint should be the user's NameID, as in the following example:

https://www.accounts.google.com/o/saml2/idp?idpid=<customer_id>&login_hint=<email_id_of_the_user>
 

Note: Google's SAML IdP doesn't use the NameID that may be present in the Subject element of the AuthnRequest. Use login_hint instead.

Sign-in behavior when the login hint is used

The table below summarizes how user sign-in to Google differs when login hints parameter are present in the SAML request:

Signed-in users Login hint value Behavior
None Not present User sees the regular Google sign-in page.
user@domain.com The email address on the Google sign-in page is prefilled with user@domain.com.
user1@domain.com Not present The Google sign-in page is bypassed and user1 is directly signed in to the service provider.
user1@domain.com
user2@domain.com The Google sign-in page is prefilled with user2@domain.com.
user1@domain.com
user2@domain.com		 Not present The Google account chooser screen displays all signed-in users.
user1@domain.com

The Google sign-in page is bypassed and user1 is directly signed in to the service provider.
user2@domain.com The Google sign-in page is bypassed and user2 is directly signed in to the service provider.

user3@domain.com
(a user not signed in to an active session)

 The Google sign-in page prefilled with user3@domain.com.

 

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members
Contact us Tell us more and we’ll help you get there
true
Start your free 14-day trial today

Professional email, online storage, shared calendars, video meetings and more. Start your free Google Workspace trial today.

Search
Clear search
Close search
Google apps
Main menu
1228162086892000219
true
Search Help Center
true
true
true
true
true
73010
false
false
false