No data about previous authentication is stored if authentication was not started at the SP (IdP-first flow). That makes the replay protection measures fail, leading to an ugly exception show to the user. Fix that.

Additionally, give precedence to the RelayState configured in the local metadata, as the one received together with the SAML response may not even be an URL.

This resolves #230.