if (session['agov.recovery.redirectDone']) {
  // user navigated back from AGOV.me, go again for the code

  // clean up SAML state first, 
  // IdentityProviderState sets session attributes as follows
  //   <IDP-State-Name>-session-participants.<SAML-RP-ISSUER> = <ACS-URL>
  // State name contains the name of the pattern 'Recovery_redirectAgovMe'
  def s = request.getAuthSession(true)
  def sessionKeySet = new HashSet(session.keySet()) 
  sessionKeySet.each { key -> 
    if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
      LOG.debug("Deleted session attribute '${key}'")
      s.removeAttribute(key)
    }
  }
  s.removeAttribute('agov.recovery.redirectDone')
  response.setResult('back')
} else {
  // redirect
  response.setSessionAttribute('agov.recovery.redirectDone', 'true')
  response.setResult('redirect')
}