WIP for allowing unknown AuthnContext values

[Sgtpluck]

🎫 Ticket

Link to the relevant ticket: https://gitlab.login.gov/lg-people/lg-people-appdev/Melba/backlog-fy24/-/issues/51 The backstory is that we have a partner who would like to integrate with Login.gov, but has to send an AuthnContext value that we do not process. (it is a valid AuthnContext for other IdPs that the partner integrates with.)

We currently reject unknown ones, but the spec does not provide any specific guidance about what to do about unknown values.

In terms of what to process, it does read:

If Comparison is set to "exact" or omitted, then the resulting authentication context in the authentication statement MUST be the exact match of at least one of the authentication contexts specified. so as long as there is a matching AuthnContext that we can process, this should be fine.

🛠 Summary of changes

This change allows SAML authentication requests to include unknown AuthnContext values.

The WIP does not include accepting unknown OIDC values. The OIDC spec also does not have guidance about how to process unknown values, so ignoring them as long as there is a valid one we can accept.

Changing both would be my preference. That would keep the implementations more consistent. Also, to get this to work for a SAML-only implementation, I think we have to pass more session information into the VoT::Parser class, which doesn't feel great. (Other suggestions on how to make that work if we decide to do SAML-only would be happily accepted!)