Support for Shibboleth IdPv3 and shibcas authenticator

[cwaldbieser]

Currently ADFS and Okta are supported. In Higher Education the Shibboleth IdP is a very popular SAML2 IdP.

A "vanilla" deployment of shib uses a basic form-based credential, and would probably work with very little in the way of code changes. The Shib IdP can also be configured to delegate actual authentication to a separate system. At my institution, we delegate authentication to Apereo CAS. We use the shibcas authenticator by Unicon.

This means that the awsprocesscreds helper would need to be able to follow the initial request from the Shib IdP, to the CAS authentication service, and back to the Shib IdP to intercept the SAML2 response. I have some experience with this, and I could submit a PR if you are interested.

I also submitted a separate issue because we protect our CAS authentication with Duo Security MFA. This makes the authentication flow have an additional step. The 2 issues are separate, but they are related in a way, as they both require some mechanism where the basic authentication flow has expanded steps.