diff --git a/tests/test_saml_auth.py b/tests/test_saml_auth.py
index 673b09d33..11cbaa99e 100644
--- a/tests/test_saml_auth.py
+++ b/tests/test_saml_auth.py
@@ -364,6 +364,29 @@ def test_saml_backoffice_redirect(pub):
assert ':next_url>http://example.net/backoffice/<' in request.getOriginalXmlnode()
+def test_saml_login_hint(pub):
+ resp = get_app(pub).get('/login/')
+ assert resp.status_int == 302
+ assert resp.location.startswith('http://sso.example.net/saml2/sso')
+ request = lasso.Samlp2AuthnRequest()
+ request.initFromQuery(urlparse.urlparse(resp.location).query)
+ assert 'login-hint' not in request.getOriginalXmlnode()
+
+ resp = get_app(pub).get('/backoffice/')
+ assert resp.status_int == 302
+ assert resp.location.startswith('http://example.net/login/?next=')
+ resp = resp.follow()
+ assert resp.location.startswith('http://sso.example.net/saml2/sso')
+ request = lasso.Samlp2AuthnRequest()
+ request.initFromQuery(urlparse.urlparse(resp.location).query)
+ assert ':login-hint>backoffice<' in request.getOriginalXmlnode()
+
+ resp = get_app(pub).get('http://example.net/login/?next=/backoffice/')
+ request = lasso.Samlp2AuthnRequest()
+ request.initFromQuery(urlparse.urlparse(resp.location).query)
+ assert ':login-hint>backoffice<' in request.getOriginalXmlnode()
+
+
def test_saml_register(pub):
get_app(pub).get('/register/', status=404)
pub.cfg['saml_identities'] = {'identity-creation': 'self'}
diff --git a/wcs/qommon/saml2.py b/wcs/qommon/saml2.py
index a453fbd24..ad1cdbe33 100644
--- a/wcs/qommon/saml2.py
+++ b/wcs/qommon/saml2.py
@@ -173,11 +173,20 @@ class Saml2Directory(Directory):
login.msgRelayState = get_request().form.get('next')
next_url = login.msgRelayState or get_publisher().get_frontoffice_url()
+ parsed_url = urlparse.urlparse(next_url)
+ request = get_request()
+ scheme = parsed_url.scheme or request.get_scheme()
+ netloc = parsed_url.netloc or request.get_server()
+ next_url = urlparse.urlunsplit((scheme, netloc, parsed_url.path, parsed_url.query,
+ parsed_url.fragment))
samlp_extensions = '''
- %s
- ''' % escape(next_url)
+ %s''' % escape(next_url)
+ # set login-hint only if backoffice is accessed
+ if next_url.startswith(get_publisher().get_backoffice_url()):
+ samlp_extensions += 'backoffice'
+ samlp_extensions += ''
# work around lasso bug https://dev.entrouvert.org/issues/23001
if hasattr(lasso.Samlp2Extensions, 'any'):
login.request.extensions = lasso.Node.newFromXmlNode(samlp_extensions)