Add optional, but on by default, check to ensure that IdP session cookie comes from...