The issue occurs when the H5C application is accessed by a client through a non-transparent network intermediary, such as NAT. In this case the server name part of the request is the address of the intermediary, which cannot be registered as a service provider alias in SSO. Consequently, all login attempts, except those made by accessing H5C by FQDN, fail because service provider registration is rejected. This was originally done for security reasons. However, there might be real-world deployment scenarios where a VC/H5C is part of a private network and its IP address is not visible from outside.