Allowed hosts array will contain one empty string item if no option set

[roborourke]

array_map( 'trim', explode( ',', Admin\get_sso_settings( 'sso_whitelisted_hosts' ) ) );

Will resolve to [ '' ] if no hosts have been added to the list. We maybe also should have at least the main or current site URL as an allowed host. This is based on the derived redirect value, so really we just want to prevent redirecting outside of the WP site.