SAML redirection seen as CDA requests
If CDA is enabled, when redirecting user to SAML SP through LL::NG::Portal::Simple->autoRedirect, redirection url is seen as a CDA request. So IdP user session id is sent to SP. By chance, as this should happen only at SLO, session should be deleted. But this is a security issue.
The bugfix is quite easy: instead of checking that redirection URL is not in main domain, check that it is in a trusted domain.