backends/saml2: gracefully handle mismatching ACS

[bajnokk]

This is a new attempt to solve #324 . The error message specifically targets the administrator / logs. Even though the exception message has an assumption (the original relay state might be missing for other, more unlikely reasons), but drawing the admin's attention to the mismatching request address and ACS address is a good idea in this case, IMHO.

Commit message follows:

When the IdP redirects to an ACS which has a different address than the one we used for initiating the request, we are unable to verify the RelayState, since the browser does not send the session cookie. In order to make configuration debugging easier, raise an explanatory SATOSAAuthenticationError instead of a KeyError.

While adding a unit test to check for the proper error reporting, some code duplication was refactored.

All Submissions:

• [x] Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• [x] Have you added an explanation of what problem you are trying to solve with this PR?
• [x] Have you added information on what your changes do and why you chose this as your solution?
• [x] Have you written new tests for your changes?
• [x] Does your submission pass tests?
• [x] This project follows PEP8 style guide. Have you run your code against the 'flake8' linter?

[c00kiemon5ter]

closed by d9864643a5c606b2e2da14c0f5d6c5271178b5ac and 62f8775421734af08a337be18ff208d00a78bc71