SSO sign-in flow when using login hints

Google as an IdP supports the login hint parameter to simplify sign-in for users when they perform service provider (SP)-initiated sign-ins. When login hints are present, the Google authentication server uses the hint to:

  • Prefill the email field: The authentication server prefills the email address in the sign-in form, saving the user a step.
  • Enable direct login: If the user associated with the hint already has an active session with Google, the server automatically signs them in, providing a seamless experience.

Requirements for the service provider

If your application knows the identity of the user who's attempting to sign in, it can include the login hint parameter (login_hint) in the HTTP request to the SSO URL. The value of login_hint should be the user's NameID, as in the following example:

https://www.accounts.google.com/o/saml2/idp?idpid=<customer_id>&login_hint=<email_id_of_the_user>

Note: Google's SAML IdP doesn't use the NameID that may be present in the Subject element of the AuthnRequest. Use login_hint instead.

Sign-in behavior when the login hint is used

The table below summarizes how user sign-in to Google differs when login hints parameter are present in the SAML request:

Signed-in users Login hint value Behavior
None Not present User sees the regular Google sign-in page.
user@domain.com The email address on the Google sign-in page is prefilled with user@domain.com.
user1@domain.com Not present The Google sign-in page is bypassed and user1 is directly signed in to the service provider.
user1@domain.com
user2@domain.com The Google sign-in page is prefilled with user2@domain.com.
user1@domain.com
user2@domain.com		 Not present The Google account chooser screen displays all signed-in users.
user1@domain.com

The Google sign-in page is bypassed and user1 is directly signed in to the service provider.
user2@domain.com The Google sign-in page is bypassed and user2 is directly signed in to the service provider.

user3@domain.com
(a user not signed in to an active session)

 The Google sign-in page prefilled with user3@domain.com.