diff --git a/controllers/auth.go b/controllers/auth.go
index 8e5b136b..24849a1e 100644
--- a/controllers/auth.go
+++ b/controllers/auth.go
@@ -719,7 +719,8 @@ func (c *ApiController) Login() {
 
 			setHttpClient(idProvider, provider.Type)
 
-			if authForm.State != conf.GetConfigString("authState") && authForm.State != application.Name {
+			stateApplicationName := strings.Split(authForm.State, "-org-")[0]
+			if authForm.State != conf.GetConfigString("authState") && stateApplicationName != application.Name {
 				c.ResponseError(fmt.Sprintf(c.T("auth:State expected: %s, but got: %s"), conf.GetConfigString("authState"), authForm.State))
 				return
 			}
diff --git a/web/src/auth/Provider.js b/web/src/auth/Provider.js
index 6dbde965..b851a896 100644
--- a/web/src/auth/Provider.js
+++ b/web/src/auth/Provider.js
@@ -392,7 +392,11 @@ export function getAuthUrl(application, provider, method, code) {
   let redirectUri = `${redirectOrigin}/callback`;
   let scope = authInfo[provider.type].scope;
   const isShortState = (provider.type === "WeChat" && navigator.userAgent.includes("MicroMessenger")) || (provider.type === "Twitter");
-  const state = Util.getStateFromQueryParams(application.name, provider.name, method, isShortState);
+  let applicationName = application.name;
+  if (application?.isShared) {
+    applicationName = `${application.name}-org-${application.organization}`;
+  }
+  const state = Util.getStateFromQueryParams(applicationName, provider.name, method, isShortState);
   const codeChallenge = "P3S-a7dr8bgM4bF6vOyiKkKETDl16rcAzao9F8UIL1Y"; // SHA256(Base64-URL-encode("casdoor-verifier"))
 
   if (provider.type === "AzureAD") {