mod_shib for Apache has ShibUserHeaders to control whether attributes get passed as headers to the backend, and we should aim for a similar toggle. Without automatically copying headers, it's possible and more secure (see README) to copy attributes from the auth request into the backend's environment -- but it currently requires manual handling in the user's config.

FYI: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig

Implemented in develop; added in ade5cfd.