diff --git a/httpsso/handler.go b/httpsso/handler.go
index 75a61ebedd412c260f3817eceaf4c8b498cc46b7..f2a8123fb8aa44ad69ef637364d7ef2e9c275604 100644
--- a/httpsso/handler.go
+++ b/httpsso/handler.go
@@ -142,7 +142,7 @@ func (s *SSOWrapper) redirectToLogin(w http.ResponseWriter, req *http.Request, s
 
 	v := make(url.Values)
 	v.Set("s", service)
-	v.Set("d", req.URL.String())
+	v.Set("d", getFullURL(req, "https").String())
 	v.Set("n", nonce)
 	v.Set("g", strings.Join(groups, ","))
 	loginURL := s.serverURL + "?" + v.Encode()
@@ -159,6 +159,16 @@ func pathFromService(service string) string {
 	return service[i:]
 }
 
+// Return a full URL from a HTTP request, assuming the given scheme
+// (the URL field in net/http.Request normally only contains path and
+// query args).
+func getFullURL(req *http.Request, scheme string) *url.URL {
+	u := *req.URL
+	u.Scheme = scheme
+	u.Host = req.Host
+	return &u
+}
+
 func makeUniqueNonce() string {
 	var b [8]byte
 	if _, err := rand.Read(b[:]); err != nil {