It's not currently obvious that the SSO redirection page (introduced as a security measure) can be bypassed by use of the sso.client_whitelist option. This option allows specifying a whitelist of client URIs, for which the redirection page won't appear if the client you are being redirected to during SSO login.

We should include some words about it on the yet-to-be-written Single Sign-On documentation page.