diff --git a/app/controllers/session_controller.rb b/app/controllers/session_controller.rb
index 175844a8204..fbd9859e6af 100644
--- a/app/controllers/session_controller.rb
+++ b/app/controllers/session_controller.rb
@@ -162,7 +162,11 @@ class SessionController < ApplicationController
         if return_path !~ /^\/[^\/]/
           begin
             uri = URI(return_path)
-            return_path = path("/") unless SiteSetting.sso_allows_all_return_paths || uri.host == Discourse.current_hostname
+            if (uri.hostname == Discourse.current_hostname)
+              return_path = uri.request_uri
+            elsif !SiteSetting.sso_allows_all_return_paths
+              return_path = path("/")
+            end
           rescue
             return_path = path("/")
           end
diff --git a/spec/requests/session_controller_spec.rb b/spec/requests/session_controller_spec.rb
index 96427a9d76f..7264196a618 100644
--- a/spec/requests/session_controller_spec.rb
+++ b/spec/requests/session_controller_spec.rb
@@ -311,6 +311,15 @@ RSpec.describe SessionController do
 
       get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers
       expect(response).to redirect_to('/')
+
+      sso = get_sso("http://#{Discourse.current_hostname}/sso?bla=1")
+      sso.email = user.email
+      sso.external_id = 'abc'
+      sso.username = 'sam'
+
+      get "/session/sso_login", params: Rack::Utils.parse_query(sso.payload), headers: headers
+      expect(response).to redirect_to('/')
+
     end
 
     it 'can take over an account' do