Support target site on distinct domain

Problem/Motivation

I have a scenario with two separate applications in a dev environment:
- A Drupal site with a CAS mock server.
- A non-Drupal web application (Nextcloud) that also wants to do CAS logins, using the same user accounts.

Both of these are on distinct domains.
(This is imposed by my Docker setup. Perhaps I could find a solution to have them on the same domain, but I still think this should be fixed in the module)

Problem:
We get "Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it."

Steps to reproduce

(I am doing this with openeuropa/oe_authentication and EU Login, but probably it can be reproduced without that).

1. Set up web sites A and B, as described above.
2. Make sure they use different domains.
3. Website A has cas_mock_server. Configure website B just wants to use website A for logins, using CAS protocol.
4. Open an incognito tab. Visit B. Attempt to login.
   -> You get redirected to the cas_mock_server login form in A.
5. Enter the mock username and password. Submit the CAS mock form.

Expected:
You are logged in to website B.

Actual:
"Redirects to external URLs are not allowed by default, use \Drupal\Core\Routing\TrustedRedirectResponse for it."

Proposed resolution

Use a TrustedRedirectResponse.

Remaining tasks

User interface changes

API changes

Data model changes