diff --git a/etc/ssokenizer.yml b/etc/ssokenizer.yml
index f42ec1c..af59686 100644
--- a/etc/ssokenizer.yml
+++ b/etc/ssokenizer.yml
@@ -126,4 +126,24 @@ identity_providers:
     client_secret: "$HEROKU_CLIENT_SECRET"
     return_url: "$HEROKU_STAGING_2_RETURN_URL"
     scopes:
-      - "$HEROKU_SCOPES"
\ No newline at end of file
+      - "$HEROKU_SCOPES"
+
+  google_auth:
+    secret_auth:
+      bearer_digest: "$AUTH_DIGEST"
+    profile: google
+    client_id: "$GOOGLE_CLIENT_ID"
+    client_secret: "$GOOGLE_CLIENT_SECRET"
+    return_url: "$GOOGLE_AUTH_RETURN_URL"
+    scopes:
+      - "$GOOGLE_SCOPES"
+
+  github_auth:
+    secret_auth:
+      bearer_digest: "$AUTH_DIGEST"
+    profile: github
+    client_id: "$GITHUB_CLIENT_ID"
+    client_secret: "$GITHUB_CLIENT_SECRET"
+    return_url: "$GITHUB_AUTH_RETURN_URL"
+    scopes:
+      - "$GITHUB_SCOPES"
\ No newline at end of file
diff --git a/oauth2/oauth2.go b/oauth2/oauth2.go
index 0f7cc6e..7657431 100644
--- a/oauth2/oauth2.go
+++ b/oauth2/oauth2.go
@@ -78,7 +78,14 @@ func (p *provider) handleStart(w http.ResponseWriter, r *http.Request) {
 	defer getLog(r).WithField("status", http.StatusFound).Info()
 
 	tr := ssokenizer.GetTransaction(r)
-	http.Redirect(w, r, p.config(r).AuthCodeURL(tr.Nonce, oauth2.AccessTypeOffline), http.StatusFound)
+
+	opts := []oauth2.AuthCodeOption{oauth2.AccessTypeOffline}
+
+	if hd := r.URL.Query().Get("hd"); hd != "" {
+		opts = append(opts, oauth2.SetAuthURLParam("hd", hd))
+	}
+
+	http.Redirect(w, r, p.config(r).AuthCodeURL(tr.Nonce, opts...), http.StatusFound)
 }
 
 func (p *provider) handleCallback(w http.ResponseWriter, r *http.Request) {