diff --git a/sso/sso.go b/sso/sso.go
index d2e17dd..e0fb6f2 100644
--- a/sso/sso.go
+++ b/sso/sso.go
@@ -229,7 +229,7 @@ func ValidateStateCookie(w http.ResponseWriter, r *http.Request, prefix, querySt
 // redirect back to it after SSO login completes.
 func SetReturnToCookie(w http.ResponseWriter, r *http.Request, prefix string) {
 	path := r.URL.Path
-	if path == "" || path == "/login" || path == "/sso/callback" {
+	if path == "" || path == "/login" || strings.HasPrefix(path, "/sso/") {
 		path = "/"
 	}
 	http.SetCookie(w, &http.Cookie{
diff --git a/sso/sso_test.go b/sso/sso_test.go
index 568156b..cda9121 100644
--- a/sso/sso_test.go
+++ b/sso/sso_test.go
@@ -193,7 +193,7 @@ func TestReturnToDefaultsToRoot(t *testing.T) {
 }
 
 func TestReturnToSkipsLoginPaths(t *testing.T) {
-	for _, p := range []string{"/login", "/sso/callback"} {
+	for _, p := range []string{"/login", "/sso/callback", "/sso/redirect"} {
 		rec := httptest.NewRecorder()
 		req := httptest.NewRequest(http.MethodGet, p, nil)
 		SetReturnToCookie(rec, req, "mcr")