Lock down the SSO handler to more specific URLs. Bugzilla #373