Hi Philip,
Thanks for your input.
The link in my application redirects the browser to the AzureAD User Access URL, so that a SAML token is generated. AzureAD then redirects to the Meraki SAML login URL, and includes the SAML token + the Relay State parameter that contains the "deep link" to the Meraki page.
My expectation was that Meraki would validate the SAML token, interpret the RelayState SAML parameter and redirect me accordingly. I think this is the standard behaviour for SAML SPs.
Something like this (not everything applies because our scenario is idP initiated):
(taken from https://developer.okta.com/docs/concepts/saml/ )
A second click would not work because it would repeat the process, starting in AzureAD.
But, if I paste the deep link URL (the one stored in the RelayState parameter) on the browser, then it does work because the user is already authenticated.