...
This mechanism is fragile due to the common practice of sloppy hostname handling (initiating SSO on one hostname but redirecting responses to a different hostname). For example, a request from "https://www.service.example.org" won't correlate to a response to "https://service.example.org". In addition, many scenarios involving browsers being launched from other applications in response to clicking on hyperlinks tend to mishandle cookies set on the initial request. These are the same reasons that led to the abandoning of cookie-backed relay state in the default configuration, so this feature essentially reintroduces the same set of problems, but in an even more fatal way.
...
To block unsolicited responses globally, you must:
Make sure the security-policy.xml file is updated with the "blockUnsolicited" policy from the newly distributed version of the file (obviously unnecessary for new installs).
Add a
policyIdXML attribute set to "blockUnsolicited" to one of the many places it can appear. For global enforcement, just add it to the<ApplicationDefaults>element.