diff --git a/tests/test_saml_auth.py b/tests/test_saml_auth.py
index 673b09d33..11cbaa99e 100644
--- a/tests/test_saml_auth.py
+++ b/tests/test_saml_auth.py
@@ -364,6 +364,29 @@ def test_saml_backoffice_redirect(pub):
     assert ':next_url>http://example.net/backoffice/<' in request.getOriginalXmlnode()
 
 
+def test_saml_login_hint(pub):
+    resp = get_app(pub).get('/login/')
+    assert resp.status_int == 302
+    assert resp.location.startswith('http://sso.example.net/saml2/sso')
+    request = lasso.Samlp2AuthnRequest()
+    request.initFromQuery(urlparse.urlparse(resp.location).query)
+    assert 'login-hint' not in request.getOriginalXmlnode()
+
+    resp = get_app(pub).get('/backoffice/')
+    assert resp.status_int == 302
+    assert resp.location.startswith('http://example.net/login/?next=')
+    resp = resp.follow()
+    assert resp.location.startswith('http://sso.example.net/saml2/sso')
+    request = lasso.Samlp2AuthnRequest()
+    request.initFromQuery(urlparse.urlparse(resp.location).query)
+    assert ':login-hint>backoffice<' in request.getOriginalXmlnode()
+
+    resp = get_app(pub).get('http://example.net/login/?next=/backoffice/')
+    request = lasso.Samlp2AuthnRequest()
+    request.initFromQuery(urlparse.urlparse(resp.location).query)
+    assert ':login-hint>backoffice<' in request.getOriginalXmlnode()
+
+
 def test_saml_register(pub):
     get_app(pub).get('/register/', status=404)
     pub.cfg['saml_identities'] = {'identity-creation': 'self'}
diff --git a/wcs/qommon/saml2.py b/wcs/qommon/saml2.py
index a453fbd24..ad1cdbe33 100644
--- a/wcs/qommon/saml2.py
+++ b/wcs/qommon/saml2.py
@@ -173,11 +173,20 @@ class Saml2Directory(Directory):
             login.msgRelayState = get_request().form.get('next')
 
         next_url = login.msgRelayState or get_publisher().get_frontoffice_url()
+        parsed_url = urlparse.urlparse(next_url)
+        request = get_request()
+        scheme = parsed_url.scheme or request.get_scheme()
+        netloc = parsed_url.netloc or request.get_server()
+        next_url = urlparse.urlunsplit((scheme, netloc, parsed_url.path, parsed_url.query,
+                                         parsed_url.fragment))
         samlp_extensions = '''<samlp:Extensions
                         xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                         xmlns:eo="https://www.entrouvert.com/">
-                      <eo:next_url>%s</eo:next_url>
-                   </samlp:Extensions>''' % escape(next_url)
+                      <eo:next_url>%s</eo:next_url>''' % escape(next_url)
+        # set login-hint only if backoffice is accessed
+        if next_url.startswith(get_publisher().get_backoffice_url()):
+            samlp_extensions += '<eo:login-hint>backoffice</eo:login-hint>'
+        samlp_extensions += '</samlp:Extensions>'
         # work around lasso bug https://dev.entrouvert.org/issues/23001
         if hasattr(lasso.Samlp2Extensions, 'any'):
             login.request.extensions = lasso.Node.newFromXmlNode(samlp_extensions)