The identity provider issues an alias for an application in the RelayState parameter.
For more information, see the documentation supplied by the identity provider vendor.
You have trusted the identity provider.
Use this procedure to protect application URLs when performing identity provider-initiated Single Sign-On (SSO). Security Assertion Markup Language (SAML) 2.0 uses a RelayState parameter to restore the original application URL so that the user can return to the application with a SAML assertion. Exposing the application URL in SAML messages can be a security risk. For service provider-initiated SSO, the service provider saves the URL and places the name of the cookie in the relay state. For identity provider-initiated SSO this option is not available. Instead you can have the identity provider place an alias for the application in the relay state and map the alias to the application on the service provider.
If the relay state does not match any relay state known to the service provider, an error occurs.
If the relay state is empty, the service provider uses the default application path.
For more information, see Configuring the Default Application Path .