fix shibboleth misconfigurations resulting in authentication bypass
This merge request fixes#22267 where a misconfigured Shibboleth `HTTP_UID` or `HTTP_EPPN` could result in users being logged into an account that did not belong to them.
See merge request !7428