The configuration is using SAML2 in standalone mode where AM is set up as an idp proxy, and the service provider is a third party application. When initiating SSO from the SP side, the RelayState is used as a parameter to direct the user to the desired location after successful authentication from the SAML2 flow.
On AM 22.214.171.124, the Idp proxy was able to Post the RelayState back to the SP after authenticating on the IDP, however, on 6.5.3 the RelayState is no longer Posted back to the SP with the SAML response.
This has been tested without the IDP proxy between two AM instances acting as SP and IDP, and the RelayState is working as intended (user lands on the url set in RelayState) without setting any 'validation services' and 'Relay State URL List' in the hosted providers.
Follow the steps provided in following KB:
Beware of the following bug which impacted set up. Entities may not be added to CoT properly, use JATO-based console to remove and add entities to CoT on all hosted providers: https://bugster.forgerock.org/jira/browse/OPENAM-13942
After completing set up, use similar example below to initiate SP SSO
check HAR to see that RelayState is not post back to SP along with SAML response
If AM is acting as hosted SP, then the RelayState url value could be set in the 'Default Relay State URL'
This would redirect users to the url indicated if there are no relay state specified in the response.
Realm > Applications > Federation > Entity Providers > [hosted SP name] > Assertion Processing > Default Relay State URL