SSO allowed hosts is always empty so cross site redirects fail

[roborourke]

Steps to reproduce:

1. Setup a primary user account on the main site of a network, not a super admin, primary site user meta must be present
2. SSO log in to a different sub site
3. Error message comes up saying "abc.com is not a whitelisted cross-network SSO site."

Because Altis hides the plugin UI the settings field to enter allowed hosts is missing, and the default configuration option value is empty. I would expect to not see this error message because as a user I have no way to know how to remedy it, and as an admin I have no way to fix it via settings.

Acceptance criteria:

• Stop hiding the UI, or provide a subset of the UI suitable for Altis
• or, filter wpsimplesaml_allowed_hosts to allow any hosts that are part of the network by default

[mikelittle]

I think the use of the wpsimplesaml_allowed_hosts filter should be added to the documentation.