James Edwards-Jones authored Feb 11, 2019 and Yorick Peterse committed Mar 15, 2019

Previously we weren't checking this when visiting the /sso page,
or when hitting a callback. This is both incorrect behaviour and
a security issue as it can be used to join a group.

We don't check this on metadata endpoints still, since they are
used before SAML is configured for the group.