fix shibboleth misconfigurations resulting in authentication bypass

This merge request fixes #22267 where a misconfigured Shibboleth `HTTP_UID` or `HTTP_EPPN` could result in users being logged into an account that did not belong to them.

See merge request !7428