diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5528420..2439844 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -19,6 +19,7 @@ jobs:
       - uses: shivammathur/setup-php@v2
         with:
           php-version: ${{ matrix.php-versions }}
+          extensions: gnupg
 
       - name: Validate dependencies
         run: composer validate
diff --git a/README.md b/README.md
index 93bc48e..ed64609 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # AuthForge
 
-A collection of components to integrate industry-standard authentication and authorization
+A collection of PHP components to integrate industry-standard authentication and authorization
 
 [![github.com](https://github.com/modethirteen/AuthForge/workflows/build/badge.svg)](https://github.com/modethirteen/AuthForge/actions?query=workflow%3Abuild)
 [![codecov.io](https://codecov.io/github/modethirteen/AuthForge/coverage.svg?branch=main)](https://codecov.io/github/modethirteen/AuthForge?branch=main)
diff --git a/src/ServiceProvider/Saml/Exception/SamlInvalidRelayStateUri.php b/src/ServiceProvider/Saml/Exception/SamlInvalidRelayStateUri.php
new file mode 100644
index 0000000..75ce690
--- /dev/null
+++ b/src/ServiceProvider/Saml/Exception/SamlInvalidRelayStateUri.php
@@ -0,0 +1,20 @@
+<?php declare(strict_types=1);
+/**
+ * AuthForge
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+namespace modethirteen\AuthForge\ServiceProvider\Saml\Exception;
+
+class SamlInvalidRelayStateUri extends SamlException {
+}
diff --git a/src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php b/src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php
index 6e86702..5ccc6ee 100644
--- a/src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php
+++ b/src/ServiceProvider/Saml/RelayStateAuthFlowServiceTrait.php
@@ -18,6 +18,7 @@
 
 use modethirteen\AuthForge\Common\Exception\ServerRequestInterfaceParsedBodyException;
 use modethirteen\AuthForge\Common\Http\ServerRequestEx;
+use modethirteen\AuthForge\ServiceProvider\Saml\Exception\SamlInvalidRelayStateUri;
 use modethirteen\AuthForge\ServiceProvider\Saml\Http\HttpMessageInterface;
 use modethirteen\Http\Exception\MalformedPathQueryFragmentException;
 use modethirteen\Http\Exception\MalformedUriException;
@@ -45,9 +46,14 @@ protected function getRedirectUriFromRequestRelayState(SamlConfigurationInterfac
         if(!StringEx::isNullOrEmpty($relayState)) {
             $logger->debug('Found RelayState', ['RelayState' => $relayState]);
             try {
-                return XUri::isAbsoluteUrl($relayState)
-                    ? XUri::newFromString($relayState)
-                    : $saml->getRelayStateBaseUri()->atPath($relayState);
+                if(XUri::isAbsoluteUrl($relayState)) {
+                    if(!$saml->isValidRelayStateUri($relayState)) {
+                        throw new SamlInvalidRelayStateUri();
+                    }
+                    return XUri::newFromString($relayState);
+                } else {
+                    return $saml->getRelayStateBaseUri()->atPath($relayState);
+                }
             } catch(MalformedPathQueryFragmentException $e) {
                 $this->logger->warning('Could not append relative RelayState to service provider base URI, {{Error}}', [
                     'Error' => $e->getMessage()
@@ -57,6 +63,11 @@ protected function getRedirectUriFromRequestRelayState(SamlConfigurationInterfac
                     'Error' => $e->getMessage()
                 ]);
             }
+            catch(SamlInvalidRelayStateUri $e) {
+                $this->logger->warning('RelayState URI does not match service provider base URI, {{Uri}}', [
+                    'Uri' => $e->getMessage()
+                ]);
+            }
         }
         return $saml->getDefaultReturnUri();
     }
diff --git a/src/ServiceProvider/Saml/SamlConfigurationInterface.php b/src/ServiceProvider/Saml/SamlConfigurationInterface.php
index 9b7c2e1..25dd271 100644
--- a/src/ServiceProvider/Saml/SamlConfigurationInterface.php
+++ b/src/ServiceProvider/Saml/SamlConfigurationInterface.php
@@ -170,4 +170,9 @@ public function isNameIdFormatEnforcementEnabled() : bool;
      * @return bool
      */
     public function isStrictValidationRequired() : bool;
+
+    /**
+     * @return bool
+     */
+    public function isValidRelayStateUri(string $uri) : bool;
 }