0.4.0: Properly handle protected endpoints with query strings.

To facilitate nginx configuration, we've changed the redirect from
https://$http_host/saml/login?url=$request_uri to
https://$http_host/saml/login$request_uri. I erroneously thought $request_uri
would be encoded, but it wasn't. The old way created a potentially invalid uri.
The new way preserves the original url that we want to come back to.