Description
I'm using Google as an SAML IdP for my app.
It works, but when a user has 2 Google accounts (say, one for work and one for leisure), during the login process they see the account chooser. This doesn't really make sense, because we know we want to choose the address that ends with @mycompany.com .
Worse : if they pick the wrong account (the one that isn't configured to work with my app), they get an error, and still get a cookie according to which this account should be used, and they can't reach the account chooser anymore...
According to this link, Google accepts an hd parameter with the domain name you want to automatically pick, and it works great.
Only problem is, it only works on the account chooser page. That's not the page on which we land when connecting with SAML (https://accounts.google.com/o/saml2/something). When adding the hd parameter to this URL (which php-saml lets us do easily with the parameters argument of the login method), it is encoded with the rest of the URL, and passed to the account chooser, as a GET parameter called continue. Therefore the account chooser doesn't receive the actual hd parameter... in other words, the account chooser's url is like https://accounts.google.com/AccountChooser/signinchooser?continue=https%3A%2F%2Faccounts.google.com%2Fo%2Fsaml2%2Fcontinue%3Fidpid%3Dblah_blah_encoded_url%2Fhd%3Dmy_hd_parameter
Any idea what we could do?
Thanks in advance
PS : if I'm not being clear enough, please just see the link I've included, and consider that I would like to achieve exactly what it is that they're doing, but while using php-saml)