vireo4 should prohibit shibboleth signin when the configured value to be used as netid is blank or null #2106
Description
Vireo4 allows shibboleth sign in even when the value used as a netid is not present - it appears to match on email in the absence of a netid value.
Vireo4 will create an account if it doesn't find an existing user it can match. If a user's email changes but vireo4 receives a blank or null netid (due to IdP changes or incorrect shibboleth confi) then a subsequent sign in to vireo4 will create a new, duplicate account for that user.
If vireo's shibboleth setup uses a field for netid that has a missing value, uses a non matching field, or where the value is absent or unexpected, then it should throw an error and login should fail.
Vireo4 should provide a specific error such that the shibboleth settings and data provided by the IdP can be investigated.
This lack of a value (null or blank) for netid in the weaver_users table is not sufficient to throw an error as email password sign in is also possible if vireo is configured to allow it. Its presence is mutually exclusive with password. If a netid value is present then password must be null. If a password is present then netid is expected to be null.
thanks to Nick L for his work on this