The binding URL for POST or REDIRECT binding that is configured or loaded from the IdP metadata is used in two ways:

  • It is in included in the SAML request as destination parameter
<samlp:AuthnRequest Destination="" ... >
  • It is the URL the SAML request is sent to.

In some cases, it is desired to have different URLs for these two things e.g. to add a parameter to the URL that should not be in the SAML request.

To do this, the URL used to send the SAML request to can be overridden by configuring the request URL parameter.

One use case for this is preselecting the hosted domain when using Google Cloud Identity as SAML IdP. When logged in into multiple Google Cloud Identity instances, this page is shown to select the account to be used for login:

To avoid this, the parameter hd=<your.domain> can be appended to the URL when redirecting to the IdP, but authorization will fail if this parameter is contained in the destination URL within the SAML request.

So to preselect the tenant, copy the binding URL into the request URL field and append hd=<domain>. On the next login, choose an account page is no longer shown.