diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index 6f4af204..1dcfbe19 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -8,8 +8,13 @@ Rails.application.config.omniauth_ldap = ENV['LDAP_SERVER'].present?
 
 Rails.application.config.middleware.use OmniAuth::Builder do
   provider :twitter, ENV['TWITTER_ID'], ENV['TWITTER_SECRET']
-  provider :google_oauth2, ENV['GOOGLE_OAUTH2_ID'], ENV['GOOGLE_OAUTH2_SECRET'],
-    scope: ['profile', 'email', 'youtube', 'youtube.upload'], access_type: 'online', name: 'google'
+  provider :google_oauth2,
+    ENV['GOOGLE_OAUTH2_ID'],
+    ENV['GOOGLE_OAUTH2_SECRET'],
+    scope: ['profile', 'email', 'youtube', 'youtube.upload'], 
+    access_type: 'online', 
+    name: 'google',
+    hd: ENV['GOOGLE_OAUTH2_HD'].blank? ? nil : ENV['GOOGLE_OAUTH2_HD']
   provider :ldap,
     host: ENV['LDAP_SERVER'],
     port: ENV['LDAP_PORT'],
diff --git a/env b/env
index 5af29171..7feb9d49 100644
--- a/env
+++ b/env
@@ -33,8 +33,13 @@ TWITTER_SECRET=
 #   For the callback URL use 'http://<your hostname:port>/auth/google/callback'
 #   Once registered copy the ID and Secret here
 #
+#   The GOOGLE_OAUTH2_HD variable is used to limit sign-in to a particular Google Apps hosted domain. This
+#   can be a string such as, 'domain.com'. If left blank, GreenLight will allow sign-in from all Google Apps hosted
+#   domains.
+#
 GOOGLE_OAUTH2_ID=
 GOOGLE_OAUTH2_SECRET=
+GOOGLE_OAUTH2_HD=
 
 # LDAP Login Provider (optional)
 #