Update the crewjam/saml library too.

Enforce group membership checks in the SAML server

See merge request !9

In this scenario there is no need to set 'users_file', instead we
introduce the new boolean attribute 'email_usernames'.

Apparently this is applied even after the redirect, so we can't use it.

Adds the 'base-uri', 'form-action' and 'frame-ancestors' properties.

Do not attempt to call backends (keystore) with empty usernames.

Metrics cover specifically the authentication workflow.

The sess.UserInfo is still unset at that stage, use valid information
instead. This fixes a bug where keys were not being unlocked for users.

Just to cover edge cases when sessions are about to expire.

Makes the authentication cookie quite shorter.

This prevents an error where the keystore will have invalid keys even
in presence of a valid SSO ticket (because the parent auth session has
expired already).

This avoids browsers messing up the session state (given that /login
calls session.Reset) with requests to various kinds of well-known URLs
that might not exist.

Also add an integration test for a server with non-nil URL prefix.

Fix a pretty fundamental error where group memberships could not be
verified. Also adds tests to ensure this does not happen again.