-
James Edwards-Jones authored
Previously we weren't checking this when visiting the /sso page, or when hitting a callback. This is both incorrect behaviour and a security issue as it can be used to join a group. We don't check this on metadata endpoints still, since they are used before SAML is configured for the group.
e6e0627c